Red Hat OVAL Patch Definition Merger 2 5.3 2012-05-23T04:50:01 Red Hat Enterprise Linux 3 Quagga is an open source implementation of TCP/IP routing software. Herbert Xu reported that Quagga can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. Users of Quagga should upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel. This erratum also includes quagga-devel and quagga-contrib packages which were not originally shipped with Red Hat Enterprise Linux 3. Low Copyright 2003 Red Hat, Inc. CVE-2003-0858 CAN-2003-0858 Netlink local DoS: quagga cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The iproute package contains advanced IP routing and network device configuration tools. Herbert Xu reported that iproute can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to this issue. Users of iproute should upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel. Low Copyright 2003 Red Hat, Inc. CVE-2003-0856 CAN-2003-0856 Netlink local DoS: iproute cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. A number of security issues affect Ethereal. By exploiting these issues, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully-malformed packet onto the wire or by convincing someone to read a malformed packet trace file. A buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0925 to this issue. Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) via certain malformed ISAKMP or MEGACO packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0926 to this issue. A heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0927 to this issue. Users of Ethereal should update to these erratum packages containing Ethereal version 0.9.16, which is not vulnerable to these issues. Moderate Copyright 2003 Red Hat, Inc. CVE-2003-0925 CVE-2003-0926 CVE-2003-0927 CAN-2003-0925/6/7 Ethereal 0.9.13 has three exploitable security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The glibc packages contain GNU libc, which provides standard system libraries. Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. In addition to the security issues, a number of other bugs were fixed. Users are advised to upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel and patches for the various bug fixes. Low Copyright 2003 Red Hat, Inc. CVE-2003-0859 backtrace() is broken getnameinfo fails to to reverse lookup on IPv6 addresses LD_PROFILE=libc.so.6 and sprof give seg fault locale utility is broken on big-endian 64-bit platforms LTC5138-NPTL: pthread_condtimedwait hang or mutex_lock hang Signal handler installation races with signal, glibc-2.3.2 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol. It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. The rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0967 to this issue. Users of FreeRADIUS are advised to upgrade to these erratum packages containing FreeRADIUS 0.9.3 which is not vulnerable to these issues. Moderate Copyright 2003 Red Hat, Inc. CVE-2003-0967 CAN-2003-0967/8 FreeRadius remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data. This vulnerability can be used to trivially recover the private key. While the default behavior of GnuPG when generating keys does not lead to the creation of unsafe keys, by overriding the default settings an unsafe key could have been created. If you are using ElGamal keys, you should revoke those keys immediately. The packages included in this update do not make ElGamal keys safe to use; they merely include a patch by David Shaw that disables functions that would generate or use ElGamal keys. To determine if your key is affected, run the following command to obtain a list of secret keys that you have on your secret keyring: gpg --list-secret-keys The output of this command includes both the size and type of the keys found, and will look similar to this example: /home/example/.gnupg/secring.gpg ---------------------------------------------------- sec 1024D/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> The key length, type, and ID are listed together, separated by a forward slash. In the example output above, the key's type is "D" (DSA, sign and encrypt). Your key is unsafe if and only if the key type is "G" (ElGamal, sign and encrypt). In the above example, the secret key is safe to use, while the secret key in the following example is not: /home/example/.gnupg/secring.gpg ---------------------------------------------------- sec 1024G/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> For more details regarding this issue, as well as instructions on how to revoke any keys that are unsafe, refer to the advisory available from the GnuPG web site: http://www.gnupg.org/ Important Copyright 2003 Red Hat, Inc. CVE-2003-0971 CAN-2003-0971 GnuPG ElGamal compromise cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 rsync is a program for sychronizing files over the network. A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue. All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue. NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command: /sbin/chkconfig --list rsync If the rsync server has been enabled but is not required, it can be disabled by running the following command as root: /sbin/chkconfig rsync off Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue. Critical Copyright 2003 Red Hat, Inc. CVE-2003-0962 CAN-2003-0962 rsync remote exploit cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 lftp is a command-line file transfer program supporting FTP and HTTP protocols. Ulf Härnhammar discovered a buffer overflow bug in versions of lftp up to and including 2.6.9. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0963 to this issue. Users of lftp are advised to upgrade to these erratum packages, which contain a backported security patch and are not vulnerable to this issue. Red Hat would like to thank Ulf Härnhammar for discovering and alerting us to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2003-0963 CAN-2003-0963 lftp client buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0985 to this issue. All users of Red Hat Enterprise Linux 3 are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch. Important Copyright 2004 Red Hat, Inc. CVE-2003-0985 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Two security issues have been found that affect Ethereal. By exploiting these issues it may be possible to make Ethereal crash by injecting an intentionally malformed packet onto the wire or by convincing someone to read a malformed packet trace file. It is not known if these issues could allow arbitrary code execution. The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1012 to this issue. The Q.931 dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1013 to this issue. Users of Ethereal should update to these erratum packages containing Ethereal version 0.10.0, which is not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2003-1012 CVE-2003-1013 CAN-2003-1012/3 Ethereal security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0844 to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2002-0844 CVE-2003-0977 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The K Desktop Environment (KDE) is a graphical desktop for the X Window System. The KDE Personal Information Management (kdepim) suite helps you to organize your mail, tasks, appointments, and contacts. The KDE team found a buffer overflow in the file information reader of VCF files. An attacker could construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. Users of kdepim are advised to upgrade to these erratum packages which contain a backported security patch that corrects this issue. Important Copyright 2004 Red Hat, Inc. CVE-2003-0988 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0989 CVE-2004-0055 CVE-2004-0057 CAN-2003-0989 tcpdump parsing overflow CAN-2004-0055 CAN-2004-0057 Two issues found in tpcdump cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. An issue in the handling of regular expressions from configuration files was discovered in releases of the Apache HTTP Server version 2.0 prior to 2.0.48. To exploit this issue an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server (in default configurations as the 'apache' user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0542 to this issue. Users of the Apache HTTP Server should upgrade to these erratum packages, which contain backported patches correcting these issues, and are applied to Apache version 2.0.46. This update also includes fixes for a number of minor bugs found in this version of the Apache HTTP Server. Low Copyright 2004 Red Hat, Inc. CVE-2003-0542 long httpd graceful reload times CAN-2003-0542 local buffer overflow in config file parsing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update for Red Hat Enterprise Linux version 3. It contains a new critical security fix, many other bug fixes, several device driver updates, and numerous performance and scalability enhancements. On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. Other bug fixes were made in the following kernel areas: VM, NPTL, IPC, kernel timer, ext3, NFS, netdump, SCSI, ACPI, several device drivers, and machine-dependent support for the x86_64, ppc64, and s390 architectures. The VM subsystem was improved to better handle extreme loads and resource contention (such as might occur during heavy database application usage). This has resulted in a significantly reduced possibility of hangs, OOM kills, and low-mem exhaustion. Several NPTL fixes were made to resolve POSIX compliance issues concerning process IDs and thread IDs. A section in the Release Notes elaborates on a related issue with file record locking in multi-threaded applications. AMD64 kernels are now configured with NUMA support, S390 kernels now have CONFIG_BLK_STATS enabled, and DMA capability was restored in the IA64 agpgart driver. The following drivers have been upgraded to new versions: cmpci ------ 6.36 e100 ------- 2.3.30-k1 e1000 ------ 5.2.20-k1 ips -------- 6.10.52 megaraid --- v1.18k megaraid2 -- v2.00.9 All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0986 CVE-2004-0001 Infinite recursion in SCSI mid layer Assert failure in transaction.c:1224: "!jh->b_committed_data C write fails for records gt 2 GB hang in ptrace for gdb traceback SMP Kernel hang on shutdown with Intel SRCZCR Raid Controller Broadcom tg3 driver duplex won't set SCSI I/O stall problem Base driver button not loaded LTC4829-RHEL 3 HANGS under heavy stress load No disk/partition statistics in /proc/partitions Millisecond timer resolution on ia64 No AGP support on Tyan 2885 K8W running processes are not listed in /proc, with ps or top Kernel Panic when running pulse deamon cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0935 to this issue. Users of Net-SNMP are advised to upgrade to these errata packages containing Net-SNMP 5.0.9, which is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0935 net-snmp unauthorised access to mibs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0924 to this issue. Users are advised to upgrade to the erratum packages, which contain patches from Debian that correct these bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0924 CAN-2003-0924 netpbm temporary file vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Gaim is an instant messenger client that can handle multiple protocols. Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server. The issues include: Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0008 to this issue. All users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues. Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0006 CVE-2004-0007 CVE-2004-0008 CAN-2004-0006/7/8 Multiple vulnerabilities in Gaim cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate, designed to find files on a system via a central database. Patrik Hornik discovered a vulnerability in Slocate versions up to and including 2.7 where a carefully crafted database could overflow a heap-based buffer. A local user could exploit this vulnerability to gain "slocate" group privileges and then read the entire slocate database. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0848 to this issue. Users of Slocate should upgrade to these erratum packages, which contain Slocate version 2.7 with the addition of a patch from Kevin Lindsay that causes slocate to drop privileges before reading a user-supplied database. For Red Hat Enterprise Linux 2.1 these packages also fix a buffer overflow that affected unpatched versions of Slocate prior to 2.7. This vulnerability could also allow a local user to gain "slocate" group privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0056 to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0848 CVE-2003-0056 CAN-2003-0848 slocate buffer overflow CAN-2003-0056 buffer overflow in slocate cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting. A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue. Users are advised to upgrade to the erratum packages, which contain backported security fixes and are not vulnerable to these issues. Red Hat would like to thank Craig Southeren of the OpenH323 project for providing the fixes for these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0097 CAN-2004-0097 PWlib/OpenH323 vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mutt is a text-mode mail user agent. A bug was found in the index menu code in versions of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0078 to this issue. It is recommended that all mutt users upgrade to these updated packages, which contain a backported security patch and are not vulnerable to this issue. Red Hat would like to thank Niels Heinen for reporting this issue. Note: mutt-1.2.5.1 in Red Hat Enterprise Linux 2.1 is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0078 CAN-2004-0078 Mutt can be remotely crashed cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Sysstat is a tool for gathering system statistics. Isag is a utility for graphically displaying these statistics. A bug was found in the Red Hat sysstat package post and trigger scripts, which used insecure temporary file names. A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0107 to this issue. While fixing this issue, a flaw was discovered in the isag utility, which also used insecure temporary file names. A local attacker could overwrite files that the user running isag has write access to using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0108 to this issue. Other issues addressed in this advisory include: * iostat -x should return all partitions on the system (up to a maximum of 1024) * sar should handle network device names with more than 8 characters properly * mpstat should work correctly with more than 7 CPUs as well as generate correct statistics when accessing individual CPUs. This issue only affected Red Hat Enterprise Linux 2.1 * The sysstat package was not built with the proper dependencies; therefore, it was possible that isag could not be run because the necessary tools were not available. Therefore, isag was split off into its own subpackage with the required dependencies in place. This issue only affects Red Hat Enterprise Linux 2.1. Users of sysstat and isag should upgrade to these updated packages, which contain patches to correct these issues. NOTE: In order to use isag on Red Hat Enterprise Linux 2.1, you must install the sysstat-isag package after upgrading. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0107 CVE-2004-0108 sysstat package post scripts, trigger scripts use insecure tmp files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 mod_python embeds the Python language interpreter within the Apache httpd server. A bug has been found in mod_python versions 2.7.10 and earlier that can lead to a denial of service vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to this issue. Although Red Hat Enterprise Linux shipped with a version of mod_python that contains this bug, our testing was unable to trigger the denial of service vulnerability. However, mod_python users are advised to upgrade to these errata packages, which contain a backported patch that corrects this bug. Low Copyright 2004 Red Hat, Inc. CVE-2003-0973 CVE-2004-0096 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. iDefense discovered two buffer overflows in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0083 and CAN-2004-0084 to these issues. Additionally David Dawes discovered additional flaws in reading font files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0106 to these issues. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. Red Hat would like to thank David Dawes from XFree86 for the patches and notification of these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0083 CVE-2004-0084 CVE-2004-0106 CAN-2004-0083 XFree86 font.alias overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team discovered an issue that affects version 3.0.0 and 3.0.1 of Samba. If an account for a user is created, but marked as disabled using the mksmbpasswd script, it is possible for Samba to overwrite the user's password with the contents of an uninitialized buffer. This might lead to a disabled account becoming enabled with a password that could be guessed by an attacker. Although this is likely to be a low risk issue for most Samba users, we have provided updated packages, which contain a backported patch correcting this issue. Red Hat would like to thank the Samba team for reporting this issue and providing us with a patch. Note: Due to a packaging error in samba-3.0.0-14.3E, the winbind daemon is not automatically restarted when the Samba package is upgraded. After up2date has installed the samba-3.0.2-4.3E packages, you must run "/sbin/service winbind condrestart" as root to restart the winbind daemon. Low Copyright 2004 Red Hat, Inc. CVE-2004-0082 CAN-2004-0082 mksmbpasswd vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue. For the IBM S/390 and IBM eServer zSeries architectures, the upstream version of the s390utils package (which fixes a bug in the zipl bootloader) is also included. Important Copyright 2004 Red Hat, Inc. CVE-2004-0077 OOM killer strikes with lots of free swap space RHEL 3.0 smp hang using prctl( PR_SET_PDEATHSIG CAN-2004-0077 Linux kernel do_mremap VMA limit local privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The nfs-utils package contains the rpc.mountd program, which implements the NFS mount protocol. A flaw was discovered in versions of rpc.mountd in nfs-utils versions after 1.0.3 and prior to 1.0.6. When mounting a directory, rpc.mountd could crash if the reverse lookup of the client in DNS failed to match the forward lookup. An attacker who has the ability to mount remote directories from a server could make use of this flaw to cause a denial of service by making rpc.mountd crash. Users are advised to upgrade to these updated packages, which contain nfs-utils 1.0.6 and is not vulnerable to this issue. NOTE: Red Hat Enterprise Linux 2.1 includes a version of rpc.mountd that is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-0154 rpc.mountd killed by remote mount request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 allows a remote denial of service attack against an SSL-enabled server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0113 to this issue. This update also includes various bug fixes, including: - Improvements to the mod_expires, mod_dav, mod_ssl, and mod_proxy modules - A fix for a bug causing core dumps during configuration parsing on the IA64 platform - An updated version of mod_include fixing several edge cases in the SSI parser Additionally, the mod_logio module is now included. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0113 Invalid paths in config_vars.mk crash build of mod_jk mod_expires headers not set when used in conjunction with mod_proxy SRPMS: test for MMN version it too fragile Satisfy keyword in httpd.conf causes apache to segfault on load pcre conflict between httpd and php CAN-2004-0113 mod_ssl Denial of Service attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0110 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. Thomas Kristensen discovered a bitmap file that would cause versions of gdk-pixbuf prior to 0.20 to crash. To exploit this flaw, an attacker would need to get a victim to open a carefully-crafted BMP file in an application that used gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111 to this issue. Users are advised to upgrade to these updated packages containing gdk-pixbuf version 0.22, which is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0111 CAN-2004-0111 gdk-pixbuf can crash with malicious BMP file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is a Web browser and mail reader, designed for standards compliance, performance and portability. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.4.2 and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2003-0564 CVE-2003-0594 CVE-2004-0191 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that may lead to a denial of service attack (infinite loop). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0081 to this issue. This issue affects only the OpenSSL compatibility packages shipped with Red Hat Enterprise Linux 3. These updated packages contain patches provided by the OpenSSL group that protect against these issues. Additionally, the version of libica included in the OpenSSL packages has been updated to 1.3.5. This only affects IBM s390 and IBM eServer zSeries customers and is required for the latest openCryptoki packages. NOTE: Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or restart their systems after installing these updates. Important Copyright 2004 Red Hat, Inc. CVE-2004-0079 CVE-2004-0081 CVE-2004-0112 CAN-2004-0079/0081/0112 Flaws in OpenSSL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs. Users of Squid should update to these erratum packages which are not vulnerable to this issue. In addition, these packages contain a new Access Control type, "urllogin", which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information. Such URLs are often used by fraudsters to trick web users into revealing valuable personal data. Note that the default Squid configuration does not make use of this new access control type. You must explicitly configure Squid with ACLs that use this new type, in accordance with your own site policies. Low Copyright 2004 Red Hat, Inc. CVE-2004-0189 CAN-2004-0189 Squid ACL bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Stefan Esser reported that Ethereal versions 0.10.1 and earlier contain stack overflows in the IGRP, PGM, Metflow, ISUP, TCAP, or IGAP dissectors. On a system where Ethereal is being run a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0176 to this issue. Jonathan Heussser discovered that a carefully-crafted RADIUS packet could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0365 to this issue. Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0367 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version of Ethereal that is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0176 CVE-2004-0365 CVE-2004-0367 CVE-2004-1761 CAN-2004-0176 Ethereal dissector overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing "../". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0405 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0180 CVE-2004-0405 CAN-2004-0180 Malicious CVS server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. OpenOffice internally uses inbuilt code from neon, an HTTP and WebDAV client library. Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using OpenOffice. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0179 to this issue. Users of OpenOffice are advised to upgrade to these updated packages, which contain a patch correcting this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0179 CAN-2004-0179 neon format string vulnerability affects openoffice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 IPSEC uses strong cryptography to provide both authentication and encryption services. With versions of ipsec-tools prior to 0.2.3, it was possible for an attacker to cause unauthorized deletion of SA (Security Associations.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0164 to this issue. With versions of ipsec-tools prior to 0.2.5, the RSA signature on x.509 certificates was not properly verified when using certificate based authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0155 to this issue. When ipsec-tools receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a extremely large value in the length field, racoon may exceed operating system resource limits and be terminated, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0403 to this issue. User of IPSEC should upgrade to this updated package, which contains ipsec-tools version 0.25 along with a security patch for CAN-2004-0403 which resolves all these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0155 CVE-2004-0164 CVE-2004-0403 CAN-2004-0155/CAN-2004-0164/CAN-2004-0403 IPSEC vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges. Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink. Users should upgrade to this new version of utempter, which fixes this vulnerability. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0233 CAN-2004-0233 utempter directory traversal symlink attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue. An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue. Users of LHA should update to this updated package which contains backported patches not vulnerable to these issues. Red Hat would like to thank Ulf Harnhammar for disclosing and providing test cases and patches for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0234 CVE-2004-0235 CAN-2004-0234/0235 lha security flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code. Users are advised to upgrade to these updated packages that contain a backported security fix not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0421 CAN-2004-0421 libpng can access out of bounds memory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. iSEC Security Research discovered a flaw in the ip_setsockopt() function code of the Linux kernel versions 2.4.22 to 2.4.25 inclusive. This flaw also affects the 2.4.21 kernel in Red Hat Enterprise Linux 3 which contained a backported version of the affected code. A local user could use this flaw to gain root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0424 to this issue. iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that root privileges may be obtained if the filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0109 CVE-2004-0424 CAN-2004-0109 kernel iso9660 buffer overflow CAN-2004-0424 Linux kernel setsockopt MCAST_MSFILTER integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the second regular kernel update to Red Hat Enterprise Linux version 3. It contains several minor security fixes, many bug fixes, device driver updates, new hardware support, and the introduction of Linux Syscall Auditing support. There were bug fixes in many different parts of the kernel, the bulk of which addressed unusual situations such as error handling, race conditions, and resource starvation. The combined effect of the approximately 140 fixes is a strong improvement in the reliability and durability of Red Hat Enterprise Linux. Some of the key areas affected are disk drivers, network drivers, USB support, x86_64 and ppc64 platform support, ia64 32-bit emulation layer enablers, and the VM, NFS, IPv6, and SCSI subsystems. A significant change in the SCSI subsystem (the disabling of the scsi-affine-queue patch) should significantly improve SCSI disk driver performance in many scenarios. There were 10 Bugzillas against SCSI performance problems addressed by this change. The following drivers have been upgraded to new versions: bonding ---- 2.4.1 cciss ------ 2.4.50.RH1 e1000 ------ 5.2.30.1-k1 fusion ----- 2.05.11.03 ipr -------- 1.0.3 ips -------- 6.11.07 megaraid2 -- 2.10.1.1 qla2x00 ---- 6.07.02-RH1 tg3 -------- 3.1 z90crypt --- 1.1.4 This update introduces support for the new Intel EM64T processor. A new "ia32e" architecture has been created to support booting on platforms based on either the original AMD Opteron CPU or the new Intel EM64T CPU. The existing "x86_64" architecture has remained optimized for Opteron systems. Kernels for both types of systems are built from the same x86_64-architecture sources and share a common kernel source RPM (kernel-source-2.4.21-15.EL.x86_64.rpm). Other highlights in this update include a major upgrade to the SATA infrastructure, addition of IBM JS20 Power Blade support, and creation of an optional IBM eServer zSeries On-Demand Timer facility for reducing idle CPU overhead. The following security issues were addressed in this update: A minor flaw was found where /proc/tty/driver/serial reveals the exact character counts for serial links. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0461 to this issue. The kernel strncpy() function in Linux 2.4 and 2.5 does not pad the target buffer with null bytes on architectures other than x86, as opposed to the expected libc behavior, which could lead to information leaks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0465 to this issue. A minor data leak was found in two real time clock drivers (for /dev/rtc). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0984 to this issue. A flaw in the R128 Direct Render Infrastructure (dri) driver could allow local privilege escalation. This driver is part of the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to this issue. A flaw in ncp_lookup() in ncpfs could allow local privilege escalation. The ncpfs module allows a system to mount volumes of NetWare servers or print to NetWare printers and is in the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0010 to this issue. (Note that the kernel-unsupported package contains drivers and other modules that are unsupported and therefore might contain security problems that have not been addressed.) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0461 CVE-2003-0465 CVE-2003-0984 CVE-2003-1040 CVE-2004-0003 CVE-2004-0010 Disk READ performance worse compared with 2.4.20-18.9smp The synchronous write() system call of RHEL3.0 is slower than that of RHEL2.1. ia64 kernel stops allocating memory too early when overcommit_memory set to strict 'cp -p' returns error when destination is an nfs directory Random stall during boot-up MINSIGSTKSZ mismatch between ia32 and ia64 3ware raid extremely low throughput Typo in module parameter of scsi_mod module PATCH: LTC5351-Large external array causes SIGILL in 32-bit [PATCH] LTC5381- rhel 3 will need to pick up the cyclone-lpj-fix patch clock is running to fast on IBM x445 tg3 driver fails to autonegotiate correctly ada compiler crashes on even hello-world [PATCH] alternate signal stack bug corrupts RNaT bits ACL over NFS problem Invalid ICMP type 11 messages echo'd to console /proc/pid/statm can return negative values [PATCH] oops in IUCV code avoid hang during initialization on I/O errors Duplicate get_partition_list bug to track Bugzilla 111342 in Taroon - RHEL 3.0 using v6.06.00b11 driver attached to McData switch doesn't log in or scan devices successfully. (TG3) driver doesn't work properly with bcm5700 nic reservation error code, corrupts request queue RHEL3 kernel not preventing or recovering from fork bomb when ulimit used LTC5732 - MMIO alignment error when inserting the olympic TR module. [PATCH] RHEL3 ia64: 32 bit applications don't dump core properly [PATCH] RHEL3/ia64: strace -f on multithreaded 32 bit applications doesn't work CAN-2003-0461 /proc reveals char count CAN-2003-0465 kernel strncpy padding CAN-2003-0984 minor /dev/rtc leak lousy read performance on megaraid with 2.4.21-4.0.2.EL netdump - various race conditions that lead to hangs in panic()/die() too many ipv6 aliases cause kernel oops CAN-2004-0003 r128 DRI depmod is not run for kernel-2.4.21-9.EL from Quaterly Update #1 [PATCH] Excutable compiled on x86 can cause kernel seg fault on x86_64 Raw device performance poor under WS 3 Dreamworks IT#29689 LSI Megaraid(2) performance subpar in RHEL3, using RHEL3 kernel Bad performance with Q1 update kernel (-9EL) zfcp updates for RHEL3 U2 Panic in elf_core_copy_regs() core dumping ia32 binary date returns future year of 586562 RHEL 3.0 default QLogic driver v6.06.00b11 spews sg_low_free and QUEUE FULL messages at load time. Running I/O on RHEL 3.0 and using the v6.06.00b11 driver, the driver ran out of memory and began arbitrarily killing processes. bad disk I/O performance with the 2.4.21-4.ELsmp kernel strange load - kswapd/IO ? CAN-2004-0010 ncpfs hole (unsupported) tg3 driver doesn't support bonding driver's ALB mode P4 2.8ghz HT, Using RHEL WS 3.0 Update 1, latest SMP Kernel, see only 1 CPU frequent kernel panics system needlessly thrashing swap partition MTRRs not initialized correctly kswapd in state R and D load constant at 1+ Machine doesn't boot SMP Kernel after installation [PATCH] kernel panics when removing expired IPsec SAs /proc/cpuinfo vendor_id is wrong. shows $ kernel module binfmt_misc missing nfs peformance very bad on EL3 Runaway processes with USB console on Blade Center servers freeze (only respond to ping and sysrq) periodically cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Stefan Esser discovered a flaw in cvs where malformed "Entry" lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396 to this issue. Users of CVS are advised to upgrade to this updated package, which contains a backported patch correcting this issue. Red Hat would like to thank Stefan Esser for notifying us of this issue and Derek Price for providing an updated patch. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0396 CAN-2004-0396 CVS pserver heap overflow via Entry/Is-modified/Unchanged cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Rsync is a program for synchronizing files over a network. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot. This could allow a remote attacker to write files outside of the module's "path", depending on the privileges assigned to the rsync daemon. Users not running an rsync daemon, running a read-only daemon, or running a chrooted daemon are not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0426 to this issue. Users of Rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0426 CAN-2004-0426 rsync directory traversal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. Tcpdump v3.8.1 and earlier versions contained multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP would try to read beyond the end of the packet capture buffer and subsequently crash. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0183 CVE-2004-0184 CAN-2004-0183/0184 tcpdump ISAKMP crash CAN-2004-0183/0184 tcpdump ISAKMP crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed "Entry" lines which lead to a missing NULL terminator. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue. Stefan Esser and Sebastian Krahmer conducted an audit of CVS and fixed a number of issues that may have had security consequences. Among the issues deemed likely to be exploitable were: -- a double-free relating to the error_prog_name string (CAN-2004-0416) -- an argument integer overflow (CAN-2004-0417) -- out-of-bounds writes in serv_notify (CAN-2004-0418). An attacker who has access to a CVS server may be able to execute arbitrary code under the UID on which the CVS server is executing. Users of CVS are advised to upgrade to this updated package, which contains backported patches correcting these issues. Red Hat would like to thank Stefan Esser, Sebastian Krahmer, and Derek Price for auditing, disclosing, and providing patches for these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0414 CVE-2004-0416 CVE-2004-0417 CVE-2004-0418 CVE-2004-0778 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. The MMSE dissector in Ethereal releases 0.10.1 through 0.10.3 contained a buffer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0507 to this issue. In addition, other flaws in Ethereal prior to 0.10.4 were found that could cause it to crash in response to carefully crafted SIP (CAN-2004-0504), AIM (CAN-2004-0505), or SPNEGO (CAN-2004-0506) packets. Users of Ethereal should upgrade to these updated packages, which contain backported security patches that correct these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0504 CVE-2004-0505 CVE-2004-0506 CVE-2004-0507 CAN-2004-0504/5/6/7 Ethereal 0.10.4 contains security fixes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system. Bugs have been fixed in the krb5_aname_to_localname library function. Specifically, buffer overflows were possible for all Kerberos versions up to and including 1.3.3. The krb5_aname_to_localname function translates a Kerberos principal name to a local account name, typically a UNIX username. This function is frequently used when performing authorization checks. If configured with mappings from particular Kerberos principals to particular UNIX user names, certain functions called by krb5_aname_to_localname will not properly check the lengths of buffers used to store portions of the principal name. If configured to map principals to user names using rules, krb5_aname_to_localname would consistently write one byte past the end of a buffer allocated from the heap. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0523 to this issue. Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. Users of Kerberos are advised to upgrade to these erratum packages which contain backported security patches to correct these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0523 CAN-2004-0523 MIT Kerberos 5: buffer overflows in krb5_aname_to_localname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities have been found which affect the version of SquirrelMail shipped with Red Hat Enterprise Linux 3. An SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0521 to this issue. A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute script as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0519 and CAN-2004-0520 to these issues. All users of SquirrelMail are advised to upgrade to the erratum package containing SquirrelMail version 1.4.3a which is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0519 CVE-2004-0520 CVE-2004-0521 CAN-2004-0519/20/21 XSS and SQL issues in Squirrelmail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0541 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the helper. Users of Squid should update to this errata package which contains a backported patch that is not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0541 CAN-2004-0541 Squid NTLM authentication helper overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During an audit of Red Hat Linux updates, the Fedora Legacy team found a security issue in libpng that had not been fixed in Red Hat Enterprise Linux 3. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. Note: this issue does not affect Red Hat Enterprise Linux 2.1 Users are advised to upgrade to these updated packages that contain a backported security fix and are not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2002-1363 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0554 to this issue. Another flaw was discovered in an error path supporting the clone() system call that allowed local users to cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user's program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0427 to this issue. Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. Although the majority of these resides in drivers unsupported in Red Hat Enterprise Linux 3, the flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0495 to these issues. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. These packages contain backported patches to correct these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0427 CVE-2004-0495 CVE-2004-0554 CAN-2004-0554 local user can get the kernel to hang [PATCH] CAN-2004-0554: FPU exception handling local DoS last RH kernel affected bug CAN-2004-0495 Sparse security fixes backported for 2.4 kernel cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. Evgeny Demidov discovered a flaw in the internal routine used by the Samba Web Administration Tool (SWAT) in Samba versions 3.0.2 through 3.0.4. When decoding base-64 data during HTTP basic authentication, an invalid base-64 character could cause a buffer overflow. If the SWAT administration service is enabled, this flaw could allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0600 to this issue. Additionally, the Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0686 to this issue. This release includes the updated upstream version 3.0.4 together with backported security patches to correct these issues as well as a number of post-3.0.4 bug fixes from the Samba subversion repository. The most important bug fix allows Samba users to change their passwords if Microsoft patch KB 828741 (a critical update) had been applied. All users of Samba should upgrade to these updated packages, which resolve these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0600 CVE-2004-0686 samba spec needs epoch in versioned dependecies samba consumes all memory then hangs z390 vmachine. Missing BuildRequires: krb5-devel local variable used before set smb.conf(5) manual page bug if you do not use UTF-8 based locale spec file should install libsmbclient.so with executable permissions Need 'printing = cups' and 'cups options = raw' Samba is unable to read international characters in filenames Users get error message when changing passwords after applying KB828741 NTBackup cannot access samba shares Requesting updated packages to 3.0.4 CAN-2004-0600 Buffer Overrun in memcpy() CAN-2004-0686 buffer overflow in 'mangling method = hash' code. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 IPSEC uses strong cryptography to provide both authentication and encryption services. When configured to use X.509 certificates to authenticate remote hosts, ipsec-tools versions 0.3.3 and earlier will attempt to verify that host certificate, but will not abort the key exchange if verification fails. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0607 to this issue. Users of ipsec-tools should upgrade to this updated package which contains a backported security patch and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0607 CAN-2004-0607 racoon authentication bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0769 CVE-2004-0771 CVE-2004-0694 CVE-2004-0745 CAN-2004-0694 Buffer overflow in lha (CAN-2004-0745, CAN-2004-0769, CAN-2004-0771) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. A stack buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0488 CVE-2004-0493 CAN-2004-0488 mod_ssl ssl_util_uuencode_binary() stack overflow CAN-2004-0493 folding header DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Additionally, this update includes the following enhancements and bug fixes: - included an improved version of the mod_cgi module that correctly handles concurrent output on stderr and stdout - included support for direct lookup of SSL variables using %{SSL:...} from mod_rewrite, or using %{...}s from mod_headers - restored support for use of SHA1-encoded passwords - added the mod_ext_filter module Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0748 4097+ bytes of stderr from cgi script causes script to hang Apache autoindex corrupt when > 2GB file in tree HTTP authentication against password file with SHA1 password hashes fails please enable mod_ext_filter mod_ssl environment variables not available in mod_rewrite rules cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CAN-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant. This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0642 CVE-2004-0643 CVE-2004-0644 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0497 to this issue. Only Red Hat Enterprise Linux systems that are configured to share file systems via NFS are affected by this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0497 CAN-2004-0497 inode_change_ok missing checks allows GID changes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNOME VFS is the GNOME virtual file system. It provides a modular architecture and ships with several modules that implement support for file systems, HTTP, FTP, and others. The extfs backends make it possible to implement file systems for GNOME VFS using scripts. Flaws have been found in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. An attacker who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts. Low Copyright 2004 Red Hat, Inc. CVE-2004-0494 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. The SNMP dissector in Ethereal releases 0.8.15 through 0.10.4 contained a memory read flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0635 to this issue. The SMB dissector in Ethereal releases 0.9.15 through 0.10.4 contained a null pointer flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0634 to this issue. The iSNS dissector in Ethereal releases 0.10.3 through 0.10.4 contained an integer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0633 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version that is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0633 CVE-2004-0634 CVE-2004-0635 CAN-2004-0633/34/35 Multiple problems in Ethereal 0.10.4 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. For Red Hat Enterprise Linux 3, this Apache memory exhaustion issue was fixed by a previous update, RHSA-2004:342. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Red Hat does not believe that this flaw is exploitable in the default configuration of Red Hat Enterprise Linux 3. Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0594 CVE-2004-0595 CAN-2004-0594 PHP memory_limit issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Gaim is an instant messenger client that can handle multiple protocols. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0500 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0785 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0784 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0500 CVE-2004-0754 CVE-2004-0784 CVE-2004-0785 CAN-2004-0500 Gaim MSN protocol vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. For users of Red Hat Enterprise Linux 2.1 these patches also include a more complete fix for the out of bounds memory access flaw (CAN-2002-1363). All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2002-1363 CVE-2004-0597 CVE-2004-0598 CVE-2004-0599 CAN-2004-0597/98/99 multiple problems in libpng 1.2.5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0557 to these issues. All users of sox should upgrade to these updated packages, which resolve these issues as well as fix a number of minor bugs. Important Copyright 2004 Red Hat, Inc. CVE-2004-0557 largefile support missing SoX's soxplay doesn't except paths containg spaces sox RPM does not install soxmix -r option dumps core on x86_64 CAN-2004-0557 buffer overflows in sox cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0689 CVE-2004-0746 CVE-2004-0721 CAN-2004-0721 Konqueror frame injection spoofing CAN-2004-0689 Predictable temporary filenames CAN-2004-0746 Konqueror Cross-Domain Cookie Injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CAN-2004-0178). A possible NULL-pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CAN-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0178 CVE-2004-0415 CVE-2004-0447 CVE-2004-0535 CVE-2004-0587 CAN-2004-0447 [PATCH] IPF kernel crashes under gdb CAN-2004-0178 Soundblaster 16 local DoS CAN-2004-0535 e1000 kernel memory information leak CAN-2004-0587 Bad permissions on qla* drivers CAN-2004-0447 NULL-pointer dereference in unwind.c CAN-2004-0415 file offset pointer signedness issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue. Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues. Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0691 CVE-2004-0692 CVE-2004-0693 CAN-2004-0691 BMP decoder heap overflow CAN-2004-0692 XPM decoder integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A number of flaws have been found in Mozilla 1.4 that have been fixed in the Mozilla 1.4.3 release: Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) All users are advised to update to these erratum packages which contain a snapshot of Mozilla 1.4.3 including backported fixes and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0597 CVE-2004-0599 CVE-2004-0718 CVE-2004-0722 CVE-2004-0757 CVE-2004-0758 CVE-2004-0759 CVE-2004-0760 CVE-2004-0761 CVE-2004-0762 CVE-2004-0763 CVE-2004-0764 CVE-2004-0765 CAN-2004-0758 Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7 Numerous security issues fixed in Mozilla 1.4.3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The redhat-config-nfs package includes a graphical user interface for creating, modifying, and deleting nfs shares. John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to this issue. Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports. All users of redhat-config-nfs are advised to upgrade to these updated packages as well as checking their NFS shares directly or via the /etc/exports file for any incorrectly set options. Low Copyright 2004 Red Hat, Inc. CVE-2004-0750 CVE-2004-0750 [PATCH] /etc/exports has incorrect syntax for multiple hosts with a single mount point cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The rsync program synchronizes files over a network. Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0792 to this issue. Users of rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0792 CAN-2004-0792 rsync path sanitizing bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore. Low Copyright 2004 Red Hat, Inc. CVE-2004-0755 CAN-2004-0755 ruby insecure file permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0752 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages which contain a backported patch to correct this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0752 CAN-2004-0752 openoffice temporary file information leakage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. [Updated 15th September 2004] Packages have been updated to correct a bug which caused the xpm loader to fail. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) These packages have also been updated to correct a bug which caused the xpm loader to fail. Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CAN-2004-0753 bmp image loader DOS CAN-2004-0782/3/8 GTK XPM decoder issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. All users of cups should upgrade to these updated packages, which contain a backported patch as well as a fix for a non-exploitable off-by-one bug. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0558 CAN-2004-0558 DOS in cups browsing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0796 to this issue. Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0796 CAN-2004-0796 DOS attack open to certain malformed messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0832 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the vulnerable helper. Users of Squid should update to this erratum package, which contains a backported patch and is not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0832 CAN-2004-0832 Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50: Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0747 CVE-2004-0751 CVE-2004-0786 CVE-2004-0809 CAN-2004-0747/51/86 Apache issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Imlib is an image loading and rendering library. Several heap overflow flaws were found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0817 to this issue. Users of imlib should update to this updated package which contains backported patches and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0817 CAN-2004-0817 heap overflow in BMP decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788) This updated gtk2 package also fixes a few key combination bugs on various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was configured to use the Swiss German, Swiss French, or France French keyboard layouts, Mode_Switched characters were unable to be entered within GTK based applications. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CAN-2004-0753 bmp image loader DOS CAN-2004-0782/3/8 GTK XPM decoder issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team has discovered a denial of service bug in the smbd daemon. A defect in smbd's ASN.1 parsing allows an attacker to send a specially crafted packet during the authentication request which will send the newly spawned smbd process into an infinite loop. Given enough of these packets, it is possible to exhaust the available memory on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0807 to this issue. Additionally the Samba team has also discovered a denial of service bug in the nmbd daemon. It is possible that an attacker could send a specially crafted UDP packet which could allow the attacker to anonymously crash nmbd. This issue only affects nmbd daemons which are configured to process domain logons. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0808 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-3.0.7, which is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0807 CVE-2004-0808 CAN-2004-0807/8 Samba 3 DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0687, CAN-2004-0688, and CAN-2004-0692 to these issues. A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0419 to this issue. Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0419 CVE-2004-0687 CVE-2004-0688 CVE-2004-0692 CAN-2004-0419 xdm opens random tcp sockets xdm walks physical memory Radeon driver (7000m) TVDAC output too high for DELL Server CAN-2004-0687/8 libXpm stack and integer overflows. archexec script not in XFree86-devel package cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System. A heap overflow flaw has been discovered in the ImageMagick image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. Users of ImageMagick should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0827 CAN-2004-0827 heap overflow in BMP decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. Users of Mozilla should update to these updated packages, which contain backported patches and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0902 CVE-2004-0903 CVE-2004-0904 CVE-2004-0905 CVE-2004-0908 CAN-2004-0905 javascript link dragging information leak CAN-2004-0905 javascript link dragging information leak CAN-2004-0904 BMP integer overflows CAN-2004-0904 BMP integer overflows CAN-2004-0903 VCard buffer overflow CAN-2004-0903 VCard buffer overflow CAN-2004-0908 javascript clipboard information leakage CAN-2004-0908 javascript clipboard information leakage CAN-2004-0902 "send page" heap based buffer overflow CAN-2004-0902 "send page" heap based buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects, and user-defined types and functions). Trustix has identified improper temporary file usage in the make_oidjoins_check script. It is possible that an attacker could overwrite arbitrary file contents as the user running the make_oidjoins_check script. This script has been removed from the RPM file since it has no use to ordinary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0977 to this issue. Additionally, the following non-security issues have been addressed: - Fixed a low probability risk for loss of recently committed transactions. - Fixed a low probability risk for loss of older data due to failure to update transaction status. - A lock file problem that sometimes prevented automatic restart after a system crash has been fixed. All users of rh-postgresql should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0977 PostgreSQL can lose committed transactions a bug in rh-postgresql.spec file Postgres's init script does not remove stale PID file CAN-2004-0977 temporary file vulnerabilities in make_oidjoins_check script PostgreSQL data loss risk and minor security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0687, CAN-2004-0688, and CAN-2004-0914 to these issues. Users of OpenMotif are advised to upgrade to these erratum packages, which contain backported security patches to the embedded libXpm library. Important Copyright 2004 Red Hat, Inc. CVE-2004-0687 CVE-2004-0688 CVE-2004-0914 CAN-2004-0687 libxpm flaws affect OpenMotif (CAN-2004-0688, CAN-2004-0914) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used for parsing PDF files and is therefore affected by these bugs. An attacker who has the ability to send a malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. When set up to print to a shared printer via Samba, CUPS would authenticate with that shared printer using a username and password. By default, the username and password used to connect to the Samba share is written into the error log file. A local user who is able to read the error log file could collect these usernames and passwords. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0923 to this issue. These updated packages also include a fix that prevents some CUPS configuration files from being accidentally replaced. All users of CUPS should upgrade to these updated packages, which resolve these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0888 CVE-2004-0923 cups configuration mime.types was updated - not copied to mime.types.rpmnew CAN-2004-0923 Log file information disclosure CAN-2004-0888 xpdf issues affect cups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. At application startup, libsasl and libsasl2 attempts to build a list of all available SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue. Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0884 CAN-2004-0884 privilege escalation cyrus-sasl causes crashes with ldap cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This update includes fixes for several security issues: A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1068 to this issue. Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use thse flaws to gain read access to executable-only binaries or possibly gain privileges. (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073) A flaw when setting up TSS limits was discovered that affects AMD AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local user could use this flaw to cause a denial of service (crash) or possibly gain privileges. (CAN-2004-0812) An integer overflow flaw was discovered in the ubsec_keysetup function in the Broadcom 5820 cryptonet driver. On systems using this driver, a local user could cause a denial of service (crash) or possibly gain elevated privileges. (CAN-2004-0619) Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels prior to 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would require control of a connected Samba server. (CAN-2004-0883, CAN-2004-0949) SGI discovered a bug in the elf loader that affects kernels prior to 2.4.25 which could be triggered by a malformed binary. On architectures other than x86, a local user could create a malicious binary which could cause a denial of service (crash). (CAN-2004-0136) Conectiva discovered flaws in certain USB drivers affecting kernels prior to 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CAN-2004-0685) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0138 CVE-2004-0619 CVE-2004-0685 CVE-2004-0812 CVE-2004-0883 CVE-2004-0949 CVE-2004-1068 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CAN-2004-0619 Broadcom 5820 integer overflow CAN-2004-0138 Verify interpreter arch CAN-2004-0685 usb sparse fixes in 2.4 CAN-2004-0883 smbfs potential DOS (CAN-2004-0949) CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073) CAN-2004-0138 Program crashes the kernel CAN-2004-1068 Missing serialisation in unix_dgram_recvmsg cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue. An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue. Several minor bugs were also discovered, including: - In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed. - In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed. Users of the Apache HTTP server who are affected by these issues should upgrade to these updated packages, which contain backported patches. Important Copyright 2004 Red Hat, Inc. CVE-2004-0885 CVE-2004-0942 CVE-2004-1834 CAN-2004-0885 SSLCipherSuite bypass CAN-2004-0942 Memory consumption DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 MySQL is a multi-user, multi-threaded SQL database server. This update fixes a number of small bugs, including some potential security problems associated with careless handling of temporary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0381, CAN-2004-0388, and CAN-2004-0457 to these issues. A number of additional security issues that affect mysql have been corrected in the source package. These include CAN-2004-0835, CAN-2004-0836, CAN-2004-0837, and CAN-2004-0957. Red Hat Enterprise Linux 3 does not ship with the mysql-server package and is therefore not affected by these issues. This update also allows 32-bit and 64-bit libraries to be installed concurrently on the same system. All users of mysql should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0381 CVE-2004-0388 CVE-2004-0457 /etc/init.d/mysqld doesn't wait for server to start Always timeout error starting MySQL Daemon mysqlhotcopy of local Fedora DB broken after upgrade from RH9 [PATCH] Bug fix + enhancement for mysql_setpermission botched string concat ? CAN-2004-0381 mysqlbug temporary file vulnerability Cannot drop databases database service should start earlier linking with 'mysql --libs' doesent seem to work correctly. CAN-2004-0457 mysqlhotcopy insecure temporary file vulnerability Service mysqld restart CAN-2004-0835 MySQL flaws (CAN-2004-0836, CAN-2004-0837, CAN-2004-0957) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to this issue. All users are advised to upgrade to these errata packages, which contain fixes for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0803 CVE-2004-0886 CVE-2004-0804 CVE-2004-1307 CAN-2004-0803 buffer overflows in libtiff CAN-2004-0886 multiple integer overflows in libtiff cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. This package also contains the showmount program. Showmount queries the mount daemon on a remote host for information about the NFS (Network File System) server on the remote host. SGI reported that the statd daemon did not properly handle the SIGPIPE signal. A misconfigured or malicious peer could cause statd to crash, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1014 to this issue. Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit architectures, an improper integer conversion can lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0946 to this issue. Additionally, this updated package addresses the following issues: - The UID of the nfsnobody account has been fixed for 32-bit and 64-bit machines. Because the st_uid field of the stat structure is an unsigned integer, an actual value of -2 cannot be used when creating the account, so the decimal value of -2 is used. On a 32-bit machine, the decimal value of -2 is 65534 but on a 64-bit machine it is 4294967294. This errata enables the nfs-utils post-install script to detect the target architecture, so an appropriate decimal value is used. All users of nfs-utils should upgrade to this updated package, which resolves these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-1014 CVE-2004-0946 CAN-2004-1014 DoS in statd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 X-Chat is a graphical IRC chat client for the X Window System. A stack buffer overflow has been fixed in the SOCKSv5 proxy code. An attacker could create a malicious SOCKSv5 proxy server in such a way that X-Chat would execute arbitrary code if a victim configured X-Chat to use the proxy. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0409 to this issue. Users of X-Chat should upgrade to this erratum package, which contains a backported security patch, and is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-0409 CAN-2004-0409 XChat buffer overflow in socks5 proxy CAN-2004-0409 XChat buffer overflow in socks5 proxy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU libc packages (known as glibc) contain the standard C libraries used by applications. This errata fixes several bugs in the GNU C Library. Fixes include (in addition to enclosed Bugzilla entries): - fixed 32-bit atomic operations on 64-bit powerpc - fixed -m32 -I /usr/include/nptl compilation on AMD64 - NPTL <pthread.h> should now be usable in C++ code or -pedantic -std=c89 C - rwlocks are now available also in the _POSIX_C_SOURCE=200112L namespace - pthread_once is no longer throw(), as the callback routine might throw - pthread_create now correctly returns EAGAIN when thread couldn't be created because of lack of memory - fixed NPTL stack freeing in case of pthread_create failure with detached thread - fixed pthread_mutex_timedlock on i386 and AMD64 - Itanium gp saving fix in linuxthreads - fixed s390/s390x unwinding tests done during cancellation if stack frames are small - fixed fnmatch(3) backslash handling - fixed out of memory behaviour of syslog(3) - resolver ID randomization - fixed fim (NaN, NaN) - glob(3) fixes for dangling symlinks - catchsegv fixed to work with both 32-bit and 64-bit binaries on x86-64, s390x and ppc - fixed reinitialization of _res when using NPTL stack cache - updated bug reporting instructions, removed glibcbug script - fixed infinite loop in iconv with some options - fixed inet_aton return value - CPU friendlier busy waiting in linuxthreads on EM64T and IA-64 - avoid blocking/masking debug signal in linuxthreads - fixed locale program output when neither LC_ALL nor LANG is set - fixed using of unitialized memory in localedef - fixed mntent_r escape processing - optimized mtrace script - linuxthread_db fixes on ppc64 - cfi instructions in x86-64 linuxthreads vfork - some _POSIX_C_SOURCE=200112L namespace fixes All users of glibc should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0968 Weird string in date printing malloc exhausts memory to fast in mulithreaded program getnameinfo does not use /etc/hosts for lookup of V4MAPPED addresses __builtin_expect's prototype does not expect int args; assert feeds it just that glibc's traceback() fails when called from an exception handler glibc-nis-performance.patch causes gdm to hang glibc in RHEL 3 needs to have syslog.c updated to cvs version 1.42 CAN-2004-0968 temporary file vulnerabilities in catchsegv script cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0918 to this issue. All users of squid should update to this erratum package, which contains a backport of the security fix for this vulnerability. Important Copyright 2004 Red Hat, Inc. CVE-2004-0918 CAN-2004-0918 SNMP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Users of xpdf are advised to upgrade to this errata package, which contains a backported patch correcting these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0888 CAN-2004-0888 xpdf integer overflows (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gaim application is a multi-protocol instant messaging client. A buffer overflow has been discovered in the MSN protocol handler. When receiving unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0891 to this issue. This updated gaim package also fixes multiple user interface, protocol, and error handling problems, including an ICQ communication encoding issue. Additionally, these updated packages have compiled gaim as a PIE (position independent executable) for added protection against future security vulnerabilities. All users of gaim should upgrade to this updated package, which includes various bug fixes, as well as a backported security patch. Important Copyright 2004 Red Hat, Inc. CVE-2004-0891 CAN-2004-0891 MSN protocol buffer overflow. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An attacker who is able to send packets to the server could construct carefully constructed packets in such a way as to cause the server to consume memory or crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and CAN-2004-0961 to these issues. Users of FreeRADIUS should update to these erratum packages that contain FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects a number of bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0938 CVE-2004-0960 CVE-2004-0961 zlib-devel is missing from BuildRequires in spec file rebuilding freeradius picks up system libeap rather than package libeap Missing buildrequires in freediag radiusd.conf specifies other pam-auth than file installed in /etc/pam.d CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0914 to this issue. Users are advised to upgrade to these erratum packages, which contain backported security patches as well as other bug fixes. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0914 CAN-2004-0914 libXpm integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 libxml2 is a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml2 versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml2, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml2, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0989 CAN-2004-0989 multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. During a code audit, Stefan Esser discovered a buffer overflow in Samba versions prior to 3.0.8 when handling unicode filenames. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0882 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. Additionally, a bug was found in the input validation routines in versions of Samba prior to 3.0.8 that caused the smbd process to consume abnormal amounts of system memory. An authenticated remote user could exploit this bug to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0930 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0882 CVE-2004-0930 CAN-2004-0882 unicode parsing overflow CAN-2004-0930 wildcard remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The zip program is an archiving utility which can create ZIP-compatible archives. A buffer overflow bug has been discovered in zip when handling long file names. An attacker could create a specially crafted path which could cause zip to crash or execute arbitrary instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1010 to this issue. Users of zip should upgrade to this updated package, which contains backported patches and is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-1010 CAN-2004-1010 buffer overflow when creating archive containing very long filenames. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. A flaw was dicovered in the CGI module of Ruby. If empty data is sent by the POST method to the CGI script which requires MIME type multipart/form-data, it can get stuck in a loop. A remote attacker could trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0983 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to cgi.rb. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0983 CAN-2004-0983 Denial of Service in Ruby cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System. A buffer overflow flaw was discovered in the ImageMagick image handler. An attacker could create a carefully crafted image file with an improper EXIF information in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0981 to this issue. David Eisenstein has reported that our previous fix for CAN-2004-0827, a heap overflow flaw, was incomplete. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0981 CVE-2004-0827 CAN-2004-0827 heap overflow in BMP decoder CAN-2004-0981 buffer overflow in ImageMagick's EXIF parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gd packages contain a graphics library used for the dynamic creation of images such as PNG and JPEG. Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0990 to these issues. While researching the fixes to these overflows, additional buffer overflows were discovered in calls to gdMalloc. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported security patch, and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0941 CVE-2004-0990 CAN-2004-0990 integer overflow in PNG handling. CAN-2004-0941 additional overflows in gd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libxml package contains a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. Yuuichi Teranishi discovered a flaw in libxml versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0110 CVE-2004-0989 CAN-2004-0110 multiple buffer overflows (CAN-2004-0989) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imlib packages contain an image loading and rendering library. Pavel Kankovsky discovered several heap overflow flaws that were found in the imlib image handler. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1025 to this issue. Additionally, Pavel discovered several integer overflow flaws that were found in the imlib image handler. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1026 to this issue. Users of imlib should update to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-1025 CVE-2004-1026 CAN-2004-1025 Multiple imlib issues. (CAN-2004-1026) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a webmail package written in PHP. A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1036 to this issue. Additionally, the following issues have been addressed: - updated splash screens - HIGASHIYAMA Masato's patch to improve Japanese support - real 1.4.3a tarball - config_local.php and default_pref in /etc/squirrelmail/ to match upstream RPM. Please note that it is possible that upgrading to this package may remove your SquirrelMail configuration files due to a bug in the RPM package. Upgrading will prevent this from happening in the future. Users of SquirrelMail are advised to upgrade to this updated package which contains a patched version of SquirrelMail version 1.43a and is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-1036 The login page says Red Hat Linux instead of Fedora/RHEL config_local.php is not listed as a config file CAN-2004-1036 Cross Site Scripting in encoded text cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. Greg MacManus of iDEFENSE Labs has discovered an integer overflow bug in Samba versions prior to 3.0.10. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the Samba server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1154 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-1154 CAN-2004-1154 Samba authenticated remote root cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way that if parsed by a PHP script using the exif extension it could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1065 to this issue. An information disclosure bug was discovered in the parsing of "GPC" variables in PHP (query strings or cookies, and POST form data). If particular scripts used the values of the GPC variables, portions of the memory space of an httpd child process could be revealed to the client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0958 to this issue. A file access bug was discovered in the parsing of "multipart/form-data" forms, used by PHP scripts which allow file uploads. In particular configurations, some scripts could allow a malicious client to upload files to an arbitrary directory where the "apache" user has write access. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0959 to this issue. Flaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue. Various issues were discovered in the use of the "select" system call in PHP, which could be triggered if PHP is used in an Apache configuration where the number of open files (such as virtual host log files) exceeds the default process limit of 1024. Workarounds are now included for some of these issues. The "phpize" shell script included in PHP can be used to build third-party extension modules. A build issue was discovered in the "phpize" script on some 64-bit platforms which prevented correct operation. The "pcntl" extension module is now enabled in the command line PHP interpreter, /usr/bin/php. This module enables process control features such as "fork" and "kill" from PHP scripts. Users of PHP should upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0958 CVE-2004-0959 CVE-2004-1018 CVE-2004-1019 CVE-2004-1065 Include process control extension, pcntl phpize is broken on x86_64 fopen doesn't work across remote connections while under Apache CAN-2004-0958 PHP variable parsing CAN-2004-0959 PHP arbitrary file creation CAN-2004-1019 information disclosure issues CAN-2004-1065 ext/exif/exif.c - exif_read_data() overflow on long sectionname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: Petr Vandrovec discovered a flaw in the 32bit emulation code affecting the Linux 2.4 kernel on the AMD64 architecture. A local attacker could use this flaw to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1144 to this issue. ISEC security research discovered multiple vulnerabilities in the IGMP functionality which was backported in the Red Hat Enterprise Linux 3 kernels. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1137 to this issue. ISEC security research and Georgi Guninski independantly discovered a flaw in the scm_send function in the auxiliary message layer. A local user could create a carefully crafted auxiliary message which could cause a denial of service (system hang). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1016 to this issue. A floating point information leak was discovered in the ia64 architecture context switch code. A local user could use this flaw to read register values of other processes by setting the MFH bit. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0565 to this issue. Kirill Korotaev found a flaw in load_elf_binary affecting kernels prior to 2.4.26. A local user could create a carefully crafted binary in such a way that it would cause a denial of service (system crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1234 to this issue. These packages also fix issues in the io_edgeport driver, and a memory leak in ip_options_get. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0565 CVE-2004-1016 CVE-2004-1017 CVE-2004-1137 CVE-2004-1144 CVE-2004-1234 CVE-2004-1335 CAN-2004-0565 Information leak on Linux/ia64 CAN-2004-0565 Information leak on Linux/ia64 CAN-2004-1016 CMSG validation checks CAN-2004-1137 IGMP flaws CAN-2004-1144 x86-64 privilege escalation CAN-2004-1234 kernel denial of service vulnerability and exploit cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Secunia Research discovered a window injection spoofing vulnerability affecting the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1158 to this issue. A bug was discovered in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command. It is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or potentially send unsolicited email. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. A bug was discovered that can crash KDE screensaver under certain local circumstances. This could allow an attacker with physical access to the workstation to take over a locked desktop session. Please note that this issue only affects Red Hat Enterprise Linux 2.1. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0078 to this issue. All users of KDE are advised to upgrade to this updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1158 CVE-2004-1165 CVE-2005-0078 CAN-2004-1158 Frame injection vulnerability. CAN-2005-0078 password bypass in kde screensaver CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patch for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CAN-2004-1138 vim arbitrary command execution vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0971 CVE-2004-1189 CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit these buffer overflow vulnerabilities on x86 architectures. The lppasswd utility ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility does not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. In addition to these security issues, two other problems not relating to security have been fixed: Resuming a job with "lp -H resume", which had previously been held with "lp -H hold" could cause the scheduler to stop. This has been fixed in later versions of CUPS, and has been backported in these updated packages. The cancel-cups(1) man page is a symbolic link to another man page. The target of this link has been corrected. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 cancel-cups man page missing from errata package CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf packages should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. iDEFENSE has reported an integer overflow bug that affects libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin reported another integer overflow in the tiffdump utility. An atacker who has the ability to trick a user into opening a malicious TIFF file with tiffdump could possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CVE-2004-1183 libtiff: tiffdump integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdegraphics package contains graphics applications for the K Desktop Environment. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to this issue. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0886 CVE-2004-0804 CVE-2004-1307 CVE-2004-1308 CAN-2004-0803 buffer overflows in libtiff CAN-2004-0886 multiple integer overflows in libtiff cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4. Buffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0021 to this issue. Users of Exim are advised to update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0021 CVE-2005-0022 CAN-2005-0021 exim security issues (CAN-2005-0022) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The tetex packages (teTeX) contain an implementation of TeX for Linux or UNIX systems. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0064 CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way which, if parsed by a PHP script using the exif extension, could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1065 to this issue. Flaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue. Users of PHP should upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1018 CVE-2004-1019 CVE-2004-1065 CAN-2004-1018 Multiple issues in PHP (CAN-2004-1019 CAN-2004-1020) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The alsa-lib package provides a library of functions for communication with kernel sound drivers. A flaw in the alsa mixer code was discovered that caused stack execution protection to be disabled for the libasound.so library. The effect of this flaw is that stack execution protection, through NX or Exec-Shield, would be disabled for any application linked to libasound. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0087 to this issue Users are advised to upgrade to this updated package, which contains a patched version of the library which correctly enables stack execution protection. Important Copyright 2005 Red Hat, Inc. CVE-2005-0087 CAN-2005-0087 alsa-lib disables stack protection for it's users cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 PDF is displayed garbled, older xpdf works CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. infamous41md discovered integer overflow flaws in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to overflow a heap buffer when the file was opened by a victim. Due to the nature of the overflow it is unlikely that it is possible to use this flaw to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin discovered an integer overflow flaw in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CAN-2004-1183 libtiff integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. An attacker could create a text file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim using VIM. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain backported patches for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CVE-2005-0069 CAN-2004-1138 vim arbitrary command execution vulnerability CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. iSEC Security Research has discovered a buffer overflow bug in the way Mozilla handles NNTP URLs. If a user visits a malicious web page or is convinced to click on a malicious link, it may be possible for an attacker to execute arbitrary code on the victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1316 to this issue. Users of Mozilla should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1316 CAN-2004-1316 buffer overflow in mozilla cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CAN-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-0791 CVE-2004-1074 CVE-2004-1235 CVE-2004-1237 CVE-2005-0003 CAN-2004-1237 Kernel panic when stopping Lotus Domino 6.52 CAN-2004-1237 instant kernel panic from one line perl program - BAD CAN-2004-1237 kernel oops captured, system hangs CAN-2004-1237 kernel panic ( __audit_get_target) CAN-2004-1237 kernel panic caused by auditd CAN-2004-1237 kernel panic when Oracle agentctl is run CAN-2004-1235 isec.pl uselib() privilege escalation CAN-2005-0003 huge vma-in-executable bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1189 CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit these buffer overflow vulnerabilities on x86 architectures. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. The lppasswd utility was found to ignore write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility was found to not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. All users of cups should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 CVE-2005-0064 CVE-2005-0206 CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf issues affect cups (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files for GNOME. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. Users should update to this erratum package which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 CAN-2004-1125 gpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found when processing the /Encrypt /Length tag. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf package should upgrade to this updated package, which resolves this issue Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious webpage (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious Web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious Web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0211 Buffer overflow in WCCP recvfrom() call CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs packages include libraries for the K Desktop Environment. Two flaws were found in the sandbox environment used to run Java-applets in the Konqueror web browser. If a user has Java enabled in Konqueror and visits a malicious website, the website could run a carefully crafted Java-applet and obtain escalated privileges allowing reading and writing of arbitrary files with the privileges of the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1145 to this issue. A flaw was discovered in the FTP kioslave. KDE applications such as Konqueror could be forced to execute arbitrary FTP commands via a carefully crafted ftp URL. The URL could also be crafted in such a way as to send an arbitrary email via SMTP. An attacker could make use of this flaw if a victim visits a malicious web site. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1145 CVE-2004-1165 CAN-2004-1145 Konqueror Java Vulnerability CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf that also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0888 CVE-2004-1125 CVE-2005-0064 CAN-2004-1125 kpdf buffer overflows (CAN-2005-0064) CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The less utility is a text file browser that resembles more, but has extended capabilities. Victor Ashik discovered a heap based buffer overflow in less, caused by a patch added to the less package in Red Hat Enterprise Linux 3. An attacker could construct a carefully crafted file that could cause less to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0086 to this issue. Note that this issue only affects the version of less distributed with Red Hat Enterprise Linux 3. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. All users of the less package should upgrade to this updated package, which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0086 CAN-2005-0086 less crashes on scrolling of binary files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0759 to this issue. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0760 to this issue. A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0761 to this issue. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CVE-2005-0397 CVE-2005-0759 CVE-2005-0760 CVE-2005-0761 CVE-2005-0762 CAN-2005-0005 buffer overflow in ImageMagick CAN-2005-0397 ImageMagick format string flaw CAN-2005-0759 Denial of Service in .tiff images with invalid TAG CAN-2005-0760 Accessing memory outside of image during decoding of TIFF CAN-2005-0761 Bug in parsing PSD files CAN-2005-0762 Buffer overflow in SGI parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CAN-2005-0005 buffer overflow in ImageMagick cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. Users of cpio should upgrade to this updated package, which resolves this issue. Red Hat would like to thank Mike O'Connor for bringing this issue to our attention. Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rexec command failed with "Invalid Argument", because the code used sigaction() as an unsupported signal. The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. The rexec command prompted for username and password regardless of the ~/.netrc configuration file contents. This updated package contains a patch that no longer skips the ~/.netrc file. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 rcp gives incorrect error report when file system writes fai rexec fails with "Invalid Argument" RHEL3: rexec prompts for username/password before checking ~/.netrc RHEL3: rexecd does not set limits on /etc/security/limits malicious rsh server can cause rcp to write to arbitrary files (like scp CAN-2004-0175) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. All users of cpio should upgrade to this updated package, which resolves this issue, and adds support for large files (> 2GB). Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers. A bug was found in the way several of Ghostscript's utility scripts created temporary files. A local user could cause these utilities to overwrite files that the victim running the utility has write access to. The Common Vulnerabilities and Exposures project assigned the name CAN-2004-0967 to this issue. Additionally, this update addresses the following issue: A problem has been identified in the PDF output driver, which can cause output to be delayed indefinitely on some systems. The fix has been backported from GhostScript 7.07. All users of ghostscript should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0967 [7.05-20.1] gs gets stuck reading /dev/random CAN-2004-0967 temporary file vulnerabilities in various ghostscript scripts. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The ht://Dig system is a Web search and indexing system for a small domain or intranet. Michael Krax reported a cross-site scripting bug affecting htdig. An attacker could construct a carefully crafted URL which can cause a web browser to execute malicious script once visited. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0085 to this issue. Users of htdig should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0085 CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6 htdig packaging cleanups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered multiple vulnerabilities in the IGMP functionality. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1137 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. (CAN-2005-0001) iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. (CAN-2004-1235) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architecture was discovered. A local user could use this flaw to write to privileged IO ports. (CAN-2005-0204) The Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) or possibly modify the video output. (CAN-2004-1056) OGAWA Hirofumi discovered incorrect tables sizes being used in the filesystem Native Language Support ASCII translation table. This could lead to a denial of service (system crash). (CAN-2005-0177) Michael Kerrisk discovered a flaw in the 2.6.9 kernel which allows users to unlock arbitrary shared memory segments. This flaw could lead to applications not behaving as expected. (CAN-2005-0176) Improvements in the POSIX signal and tty standards compliance exposed a race condition. This flaw can be triggered accidentally by threaded applications or deliberately by a malicious user and can result in a denial of service (crash) or in occasional cases give access to a small random chunk of kernel memory. (CAN-2005-0178) The PaX team discovered a flaw in mlockall introduced in the 2.6.9 kernel. An unprivileged user could use this flaw to cause a denial of service (CPU and memory consumption or crash). (CAN-2005-0179) Brad Spengler discovered multiple flaws in sg_scsi_ioctl in the 2.6 kernel. An unprivileged user may be able to use this flaw to cause a denial of service (crash) or possibly other actions. (CAN-2005-0180) Kirill Korotaev discovered a missing access check regression in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch. On systems using the hugemem kernel, a local unprivileged user could use this flaw to cause a denial of service (crash). (CAN-2005-0090) A flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch can allow syscalls to read and write arbitrary kernel memory. On systems using the hugemem kernel, a local unprivileged user could use this flaw to gain privileges. (CAN-2005-0091) An additional flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch was discovered. On x86 systems using the hugemem kernel, a local unprivileged user may be able to use this flaw to cause a denial of service (crash). (CAN-2005-0092) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-1056 CVE-2004-1137 CVE-2004-1235 CVE-2005-0001 CVE-2005-0090 CVE-2005-0091 CVE-2005-0092 CVE-2005-0176 CVE-2005-0177 CVE-2005-0178 CVE-2005-0179 CVE-2005-0180 CVE-2005-0204 CAN-2004-1137 IGMP flaws CAN-2005-0090 4GB split DoS CAN-2004-1235 isec.pl do_brk() privilege escalation CAN-2004-1056 insufficient locking checks in DRM code CAN-2005-0001 page fault @ SMP privilege escalation CAN-2005-0176 unlock someone elses ipc memory CAN-2005-0180 2.6 scsi ioctl integer overflow and information leak CAN-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS random poolsize sysctl handler integer overflow CAN-2005-0091 4g4g PROT_NONE fix (CAN-2005-0092) 20041212 Clear ebp on sysenter return CAN-2005-0177 nls_ascii incorrect table size CAN-2005-0178 tty/setsid race cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird handled synthetic middle click events. It is possible for a malicious web page to steal the contents of a victim's clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0146 to this issue. A bug was found in the way Thunderbird handled cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. Users of Thunderbird are advised to upgrade to this updated package, which contains Thunderbird version 1.0 and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0146 CVE-2005-0149 CAN-2005-0149 Mail responds to cookie requests CAN-2005-0146 Synthetic middle-click event can steal clipboard contents cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 D-BUS is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0201 to this issue. In Red Hat Enterprise Linux 4, the per-user session bus is only used for printing notifications, therefore this issue would only allow a local user to examine or send additional print notification messages. Users of dbus are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0201 CAN-2005-0201 dbus information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156 ) CAN-2004-0452 File::Path::rmtree() issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 Potential insecurity in CGI.pm CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. The scp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses scp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also correct the following bugs: On systems where direct ssh access for the root user was disabled by configuration (setting "PermitRootLogin no"), attempts to guess the root password could be judged as sucessful or unsucessful by observing a delay. On systems where the privilege separation feature was turned on, the user resource limits were not correctly set if the configuration specified to raise them above the defaults. It was also not possible to change an expired password. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files OpenSSH does not allow users to change expired passwords when privsep is used SSH allows attacker to divine root password cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patche for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0069 CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0198 CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect Xpdf. CUPS contained a copy of the Xpdf code used for parsing PDF files and was therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-0888 to this issue, and Red Hat released erratum RHSA-2004:543 with updated packages. It was found that the patch used to correct this issue was not sufficient and did not fully protect CUPS running on 64-bit architectures. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. These updated packages also include a fix that prevents the CUPS initscript from being accidentally replaced. All users of CUPS on 64-bit architectures should upgrade to these updated packages, which contain a corrected patch and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf issues affect cups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared libraries and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. The update also fixes some minor problems, notably conflicts with SELinux. Users of postgresql should update to these erratum packages that contain patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A flaw was found in the ipv6 patch used with Postfix. When the file /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, this flaw could allow remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0337 to this issue. These updated packages also fix the following problems: - wrong permissions on doc directory - segfault when gethostbyname or gethostbyaddr fails All users of postfix should upgrade to these updated packages, which contain patches which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0337 newaliases segfaults when gethostbyname or gethostbyaddr fails CAN-2005-0337 open relay bug in postfix ipv6 patch Permissions on doc directory is wrong cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 RHEL4: rexecd does not set limits on /etc/security/limits RHEL4: rcp gives incorrect error report when file system writes fai cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. Users of squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdenetwork packages contain a collection of networking applications for the K Desktop Environment. A bug was found in the way kppp handles privileged file descriptors. A malicious local user could make use of this flaw to modify the /etc/hosts or /etc/resolv.conf files, which could be used to spoof domain information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0205 to this issue. Please note that the default installation of kppp on Red Hat Enterprise Linux uses consolehelper and is not vulnerable to this issue. However, the kppp FAQ provides instructions for removing consolehelper and running kppp suid root, which is a vulnerable configuration. Users of kdenetwork should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0205 CAN-2005-0205 kppp local domain name hijacking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the Firefox string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. A bug was found in the way Firefox handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Firefox allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527). A flaw was found in the way Firefox displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Firefox handles plug-in temporary files. A malicious local user could create a symlink to a victims directory, causing it to be deleted when the victim exits Firefox. (CAN-2005-0578) A bug has been found in one of Firefox's UTF-8 converters. It may be possible for an attacker to supply a specially crafted UTF-8 string to the buggy converter, leading to arbitrary code execution. (CAN-2005-0592) A bug was found in the Firefox javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Firefox displays the HTTP authentication prompt. When a user is prompted for authentication, the dialog window is displayed over the active tab, regardless of the tab that caused the pop-up to appear and could trick a user into entering their username and password for a trusted site. (CAN-2005-0584) A bug was found in the way Firefox displays the save file dialog. It is possible for a malicious webserver to spoof the Content-Disposition header, tricking the user into thinking they are downloading a different filetype. (CAN-2005-0586) A bug was found in the way Firefox handles users "down-arrow" through auto completed choices. When an autocomplete choice is selected, the information is copied into the input control, possibly allowing a malicious web site to steal information by tricking a user into arrowing through autocompletion choices. (CAN-2005-0589) Several bugs were found in the way Firefox displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0593) A bug was found in the way Firefox displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) A bug was found in the way Firefox handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) A bug was found in the way Firefox displays the installation confirmation dialog. An attacker could add a long user:pass before the true hostname, tricking a user into thinking they were installing content from a trusted source. (CAN-2005-0590) A bug was found in the way Firefox displays download and security dialogs. An attacker could cover up part of a dialog window tricking the user into clicking "Allow" or "Open", which could potentially lead to arbitrary code execution. (CAN-2005-0591) Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.1 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0255 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0589 CVE-2005-0590 CVE-2005-0591 CVE-2005-0592 CVE-2005-0593 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0233 homograph spoofing CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) CAN-2005-0231 firefox javascript tab security bypass CAN-2005-0255 Memory overwrite in string library CAN-2005-0578 Unsafe /tmp/plugtmp directory exploitable to erase user's files CAN-2005-0584 HTTP auth prompt tab spoofing CAN-2005-0586 Download dialog spoofing using Content-Disposition header CAN-2005-0588 XSLT can include stylesheets from arbitrary hosts CAN-2005-0589 Autocomplete data leak CAN-2005-0590 Install source spoofing with user:pass@host CAN-2005-0591 Spoofing download and security dialogs with overlapping windows CAN-2005-0592 Heap overflow possible in UTF8 to Unicode conversion CAN-2005-0593 SSL "secure site" indicator spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org X11 is the X Window System which provides the core functionality of the Linux GUI desktop. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with libXpm to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. Since the initial release of Red Hat Enterprise Linux 4, a number of issues have been addressed in the X.Org X11 X Window System. This erratum also updates X11R6.8 to the latest stable point release (6.8.2), which includes various stability and reliability fixes including (but not limited to) the following: - The 'radeon' driver has been modified to disable "RENDER" acceleration by default, due to a bug in the implementation which has not yet been isolated. This can be manually re-enabled by using the following option in the device section of the X server config file: Option "RenderAccel" - The 'vmware' video driver is now available on 64-bit AMD64 and compatible systems. - The Intel 'i810' video driver is now available on 64-bit EM64T systems. - Stability fixes in the X Server's PCI handling layer for 64-bit systems, which resolve some issues reported by "vesa" and "nv" driver users. - Support for Hewlett Packard's Itanium ZX2 chipset. - Nvidia "nv" video driver update provides support for some of the newer Nvidia chipsets, as well as many stability and reliability fixes. - Intel i810 video driver stability update, which fixes the widely reported i810/i815 screen refresh issues many have experienced. - Packaging fixes for multilib systems, which permit both 32-bit and 64-bit X11 development environments to be simultaneously installed without file conflicts. In addition to the above highlights, the X.Org X11 6.8.2 release has a large number of additional stability fixes which resolve various other issues reported since the initial release of Red Hat Enterprise Linux 4. All users of X11 should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 font corruption on openoffice.org menus X is unusable on GeForce 6600GT with nForce4 CAN-2005-0605 XPM buffer overflow xorg-x11-6.8.1-23 missing half of Lucida fonts cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles fully qualified domain name (FQDN) lookups. A malicious DNS server could crash Squid by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. This erratum also includes two minor patches to the LDAP helpers. One corrects a slight malformation in ldap search requests (although all known LDAP servers accept the requests). The other adds documentation for the -v option to the ldap helpers. Users of Squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). RHSA-2004:592 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf integer overflows (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Gaim application is a multi-protocol instant messaging client. Two HTML parsing bugs were discovered in Gaim. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0208 and CAN-2005-0473 to these issues. A bug in the way Gaim processes SNAC packets was discovered. It is possible that a remote attacker could send a specially crafted SNAC packet to a Gaim client, causing the client to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0472 to this issue. Additionally, various client crashes, memory leaks, and protocol issues have been resolved. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.1.4 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0208 CVE-2005-0472 CVE-2005-0473 CAN-2005-0472 Gaim DoS issues (CAN-2005-0473) CAN-2005-0208 Gaim HTML parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel. The ipsec-tools package includes: - setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon A bug was found in the way the racoon daemon handled incoming ISAKMP requests. It is possible that an attacker could crash the racoon daemon by sending a specially crafted ISAKMP packet. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0398 to this issue. Additionally, the following issues have been fixed: - racoon mishandled restarts in the presence of stale administration sockets. - on Red Hat Enterprise Linux 4, racoon and setkey did not properly set up forward policies, which prevented tunnels from working. Users of ipsec-tools should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0398 CAN-2005-0398 racoon DoS CAN-2005-0398 racoon DoS racoon unable to start with stale socket /tmp/.racoon ipsec/racoon/setkey does not properly forward packets to vpn peer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman manages electronic mail discussion and e-newsletter lists. A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1177 to this issue. Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html. Important Copyright 2005 Red Hat, Inc. CVE-2004-1177 Mailman doesn't work with courier init script doesn't use /var/lock/subsys mailman logrotate has wrong location for mailmanctl CAN-2004-1177 - mailman cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. Evolution includes a mailer, calendar, contact manager, and communication facility. The tools which make up Evolution are tightly integrated with one another and act as a seamless personal information management tool. A bug was found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. Additionally, these updated packages address the following issues: -- If evolution ran during a GNOME session, the evolution-wombat process did not exit when the user logged out of the desktop. -- For folders marked for Offline Synchronization: if a user moved a message from a Local Folder to an IMAP folder while in Offline mode, the message was not present in either folder after returning to Online mode. This update fixes this problem. Email messages that have been lost this way may still be present in the following path: ~/evolution/&lt;NAME_OF_MAIL_STORE&gt;/ \ &lt;path-to-folder-via-subfolder-directories&gt;/ \ &lt;temporary-uid-of-message&gt; If this bug has affected you it may be possible to recover data by examining the contents of this directory. All users of evolution should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0102 Moving to IMAP folder while offline eats mail CAN-2005-0102 Integer overflow in camel-lock-helper .ics import crashes Evolution Creating a meeting crashes evolution Cannot create all day event in calendar cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU libc packages (known as glibc) contain the standard C libraries used by applications. It was discovered that the use of LD_DEBUG, LD_SHOW_AUXV, and LD_DYNAMIC_WEAK were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1453 to this issue. This erratum addresses the following bugs in the GNU C Library: - fix stack alignment in IA-32 clone - fix double free in globfree - fix fnmatch to avoid jumping based on unitialized memory read - fix fseekpos after ungetc - fix TZ env var handling if the variable ends with + or - - avoid depending on values read from unitialized memory in strtold on certain architectures - fix mapping alignment computation in dl-load - fix i486+ strncat inline assembly - make gethostid/sethostid work on bi-arch platforms - fix ppc64 getcontext/swapcontext - fix pthread_exit if called after pthread_create, but before the created thread actually started - fix return values for tgamma (+-0) - fix handling of very long lines in /etc/hosts - avoid page aliasing of thread stacks on AMD64 - avoid busy loop in malloc if concurrent with fork - allow putenv and setenv in shared library constructors - fix restoring of CCR in swapcontext and getcontext on ppc64 - avoid using sigaction (SIGPIPE, ...) in syslog implementation All users of glibc should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1453 telnet: 0: Name or service not known re_compile_pattern segfault [RHEL3] glibc behavior with long lines in /etc/hosts [RHEL3] libc's getXXent and getXXbyYY are inefficient for large groups x86_64 ecvt() returns "inf" for valid denormalized doubles zdump -v GMT segfaults in x86_64 CAN-2004-1453 Information leak with LD_DEBUG pthread_getspecific gets non-NULL value for new key nscd fails with big group in ldap malloc: top chunk is corrupt w/ MALLOC_CHECK_=3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in Evolution. If a user tries to save a carefully crafted meeting or appointment, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2550 to this issue. Additionally, several other format string bugs were found in Evolution. If a user views a malicious vCard, connects to a malicious LDAP server, or displays a task list from a malicious remote server, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2549 to this issue. Please note that this issue only affects Red Hat Enterprise Linux 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2549 CVE-2005-2550 CAN-2005-2549 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL4) (CAN-2005-2550) CAN-2005-2550 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL3) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A stack based buffer overflow bug was found in HelixPlayer's Synchronized Multimedia Integration Language (SMIL) file processor. An attacker could create a specially crafted SMIL file which would execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0455 to this issue. A buffer overflow bug was found in the way HelixPlayer decodes WAV files. An attacker could create a specially crafted WAV file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0611 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer 1.0.3 which is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0455 CVE-2005-0611 CAN-2005-0455 buffer overflow in helixplayer CAN-2005-0611 .wav overflow in helixplayer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the Mozilla string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Please note that other security issues have been found that affect Mozilla. These other issues have a lower severity, and are therefore planned to be released as additional security updates in the future. Users of Mozilla should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The following security issues were fixed: The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CAN-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CAN-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CAN-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CAN-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CAN-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CAN-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CAN-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CAN-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures/configurations Please note that the fix for CAN-2005-0449 required changing the external symbol linkages (kernel module ABI) for the ip_defrag() and ip_ct_gather_frags() functions. Any third-party module using either of these would also need to be fixed. Important Copyright 2005 Red Hat, Inc. CVE-2004-0075 CVE-2004-0177 CVE-2004-0814 CVE-2004-1058 CVE-2004-1073 CVE-2005-0135 CVE-2005-0137 CVE-2005-0204 CVE-2005-0384 CVE-2005-0403 CVE-2005-0449 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CAN-2004-0177 ext3 infoleak CAN-2004-0075 Vicam USB user/kernel copying oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure CAN-2005-0403 panic in tty init_dev random poolsize sysctl handler integer overflow msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 CAN-2005-0137 ia64 syscall_table DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the fifth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - support for 2-TB partitions on block devices - support for new disk, network, and USB devices - support for clustered APIC mode on AMD64 NUMA systems - netdump support on AMD64, Intel EM64T, Itanium, and ppc64 systems - diskdump support on sym53c8xx and SATA piix/promise adapters - NMI switch support on AMD64 and Intel EM64T systems There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. Some key areas affected by these fixes include the kernel's networking, SATA, TTY, and USB subsystems, as well as the architecture-dependent handling under the ia64, ppc64, and x86_64 directories. Scalability improvements were made primarily in the memory management and file system areas. A flaw in offset handling in the xattr file system code backported to Red Hat Enterprise Linux 3 was fixed. On 64-bit systems, a user who can access an ext3 extended-attribute-enabled file system could cause a denial of service (system crash). This issue is rated as having a moderate security impact (CAN-2005-0757). The following device drivers have been upgraded to new versions: 3c59x ------ LK1.1.18 3w-9xxx ---- 2.24.00.011fw (new in Update 5) 3w-xxxx ---- 1.02.00.037 8139too ---- (upstream 2.4.29) b44 -------- 0.95 cciss ------ v2.4.54.RH1 e100 ------- 3.3.6-k2 e1000 ------ 5.6.10.1-k2 lpfcdfc ---- 1.0.13 (new in Update 5) tg3 -------- 3.22RH Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0757 BLKPG_ADD_PARTITION op of BLKPG ioctl doesn't let you add partitions >= 1TB Getting OOM errors on an unconstrained system CAN-2004-0177 ext3 infoleak Raw device I/O transfer size limited to 32KB. API Breakage: NFS "No locks available" with kernel 2.4.21-15.ELsmp Unexpected error: VFS: Busy inodes after unmount. Self-destruct in 5 seconds. CAN-2004-0075 Vicam USB user/kernel copying Panic is occurring in the I/O completion interrupt handling for the character interface driver (sg). Add the 3w-9xxx module (required for the 9000 series 3ware cards) ICH6 SATA support Strange output of /proc/mtrr Request to include EMC Celerra and iSCSI devices to the black list oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer O_DIRECT doesn't work on LVM devices NFS intr flag prevents core dumps LTC-8859: softdog.o need to be included into RHEL distributions x86 compatibility mode apps using signals crash under EM64T POSIX Asynchronous IO support is unstable Kernel Panic: Unable to satisfy kernel paging request... when starting ServerVantage. [RHEL3][IA32E][X86_64]Wrong FPU IP and DP in the SIGFPE signal context CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure 3c59x: eth0: Transmit error, Tx status register d0. (10Mb hub) kernel crash, fatal exception, accessing /proc, EXT3-fs error Ia32e + Intel SATA 82801EB + kernel 2.4.21-20EL; unable to mount root partition. Panics while backing up LVM snapshots RHEL3U3 panics on boot for HP rx5670 NFS ESTALES returned on open [IT50092] When copying rootfs to /mnt/sdc/, rsync accessed /proc/kcore and kernel crashed NFS direct reads don't flush dirty cached pages RHEL3U2/U3 x86-64 - /proc/mtrr reported incorrectly ps shows bad PPID worktodo does not support NFS aio tg3 fiber auto-negotiation Kernel hang when cat'ting file on intr NFS mount MCA in tulip on ifconfig down/reboot [RHEL3-U5][Diskdump] Stalls before printing "CPU frozen" usb: raced timeout errors when using usb/serial adapter Unkillable processes under 64bit Linux which use Kernel Asynchronous I/O [RHEL3-U4][Diskdump] Diskdump failed with serial console enabled [RHEL3-U4][Diskdump] Segmentation Fault after cliloop [RHEL3-U5][Diskdump] All CPUs are displayed in CPU frozen em64t/ia32e kernel panic: 'interrupt handler - not syncing' during heavy network I/O lx-choptp19 crashed running 2.4.21-20.EL.BZ131027.hotfixhugemem stack overflows can occur on x86_64 under stack pressure when softirq's are handled Kernel wrongly complains about application bug when loading modules [RHEL3][PATCH] SIOCGHWADDR does not clear buffer for ppp connections RHEL3 PATCH dev.c: clear SIOCGIFHWADDR buffer if !dev->addr_len e100 and e1000 drivers should return EINVAL when ethtool tries to set rx-mini or rx-jumbo nptl futex_wait fix [PATCH] memory leak in ipv6 ip6_{push,flush}_pending_frames() FAT32 file system zero length files corruption after remount ATAPI-CDROM not accessible with kernel options ide-scsi and swiotlb Infinite loop when syncing over automounted NFS bonding with mii monitoring does not work with realtek card [PATCH] video1394 fixes sata_sx4 4GB problem Unable to handle kernel NULL pointer dereference at virtual address 00000004 NIC BCM4401 on Dell Inspiron 5100 broken kernel can not register scsi LUNs above 7 for mylexFFx2 FC RAID controller CAN-2005-0403 panic in tty init_dev U4 kernel sound broken on certain AC 97 systems Fibre Channel tape speed regression (qla2200) random poolsize sysctl handler integer overflow Anaconda installer partion error large RAID volume kernel panic in get_signal_to_deliver panic_on_oops hook removed on ia64 by diskdump patch tar crashes DELL server every 4th day. mmap() system call can return Nil recv returns EAGAIN instead of EINTR when interrupted ext2/ext3 w/ 1024 blocksize eats all memory rsync creating truncated files on fat32 filesystem Race condition in md subsystem causes panic laus incorrectly truncates path string when predicate filter is used msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker Running lshw causes MCA on Olympia rx8620 CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 sata_sil missing PCI IDs for ATI SATA controller Repeated Kernel Panics while using LVM Snapshot CAN-2005-0137 ia64 syscall_table DoS SIGCHLD set to SIG_IGN but calls wait(). aggressively clean bhs sata_promise in 2.4.21-27.0.4.EL doesn't support Promise sataII 150 tx4 yet cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libexif package contains the EXIF library. Applications use this library to parse EXIF image files. A bug was found in the way libexif parses EXIF tags. An attacker could create a carefully crafted EXIF image file which could cause image viewers linked against libexif to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0664 to this issue. Users of libexif should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0664 CAN-2005-0664 buffer overflow in libexif cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. A buffer overflow flaw was discovered in the Etheric dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0704 to this issue. The GPRS-LLC dissector could crash if the "ignore cipher bit" option was set. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0705 to this issue. A buffer overflow flaw was discovered in the 3GPP2 A11 dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0699 to this issue. A buffer overflow flaw was discovered in the IAPP dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0739 to this issue. Users of ethereal should upgrade to these updated packages, which contain version 0.10.10 and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0699 CVE-2005-0704 CVE-2005-0705 CVE-2005-0739 CVE-2005-0765 CVE-2005-0766 CAN-2005-0699 Multiple ethereal issues (CAN-2005-0704 CAN-2005-0705) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs package provides libraries for the K Desktop Environment. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0396 CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System which can read and write multiple image formats. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. Additionally, a bug was fixed which caused ImageMagick(TM) to occasionally segfault when writing TIFF images to standard output. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0397 Segmentation fault on conversion to TIFF (possible libtiff bug) CAN-2005-0397 ImageMagick format string flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1380 to this issue. A bug was found in the way Mozilla allowed plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0232 to this issue. A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0147 to this issue. A bug was found in the way Mozilla handles certain start tags followed by a NULL character. A malicious web page could cause Mozilla to crash when viewed by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1613 to this issue. A bug was found in the way Mozilla sets file permissions when installing XPI packages. It is possible for an XPI package to install some files world readable or writable, allowing a malicious local user to steal information or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to this issue. A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0141 to this issue. A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0144 to this issue. Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.4.4 and additional backported patches to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-0906 CVE-2004-1380 CVE-2004-1613 CVE-2005-0141 CVE-2005-0144 CVE-2005-0147 CVE-2005-0149 CVE-2005-0232 CVE-2005-0399 CAN-2005-0141 Link opened in new tab can load a local file CAN-2005-0144 Secure site lock can be spoofed with view-source: CAN-2004-1380 Input stealing from other tabs (CAN-2004-1381) CAN-2005-0147 Browser responds to proxy auth request from non-proxy server (ssl/https) CAN-2005-0149 Mail responds to cookie requests CAN-2005-0399 mozilla GIF buffer overflow CAN-2004-1613 Mozilla start tag NULL character DoS CAN-2004-0906 Mozilla XPI installer insecure file creation CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs package provides libraries for the K Desktop Environment. The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. A flaw in the dcopidlng script was discovered. The dcopidlng script would create temporary files with predictable filenames which could allow local users to overwrite arbitrary files via a symlink attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0365 to this issue. Users of KDE should upgrade to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0237 CVE-2005-0365 CVE-2005-0396 CAN-2005-0237 homograph spoofing CAN-2005-0365 dcopidlng insecure temporary file usage CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3: - telnetd could loop on an error in the child side process - There was a race condition in telnetd on a wtmp lock on some occasions - The command line in the process table was sometimes too long and caused bad output from the ps command - The 8-bit binary option was not working Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 Too long /proc/X/cmdline: bad ps output when piped to less/more telnetd cleanup() race condition with syslog in signal handler [PATCH] telnetd loops on child IO error [RHEL3] telnetd cleanup() race condition with syslog in signal handler CAN-2005-0469 slc_add_reply() Buffer Overflow Vulnerability CAN-2005-0468 env_opt_add() Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 CAN-2005-0469 Multiple Telnet Client issues (CAN-2005-0468) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. The updated XFree86 packages also address the following minor issues: - Updated XFree86-4.3.0-keyboard-disable-ioport-access-v3.patch to make warning messages less alarmist. - Backported XFree86-4.3.0-libX11-stack-overflow.patch from xorg-x11-6.8.1 packaging to fix stack overflow in libX11, which was discovered by new security features of gcc4. Users of XFree86 should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 libX11 overflows it's own stack CAN-2005-0605 XPM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0638 xloadimage crashes with some TIFF images bad source code CAN-2005-0638 xloadimage multiple issues. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0709 and CAN-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0709 CVE-2005-0710 CVE-2005-0711 CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. (CAN-2005-0147) A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. (CAN-2004-1380) A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. (CAN-2005-0149) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Mozilla saves temporary files. Temporary files are saved with world readable permissions, which could allow a local malicious user to view potentially sensitive data. (CAN-2005-0142) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. (CAN-2005-0141) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. (CAN-2005-0144) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can display the secure site icon by loading a binary file from a secured site. (CAN-2005-0143) A bug was found in the way Mozilla displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.6 to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1380 CVE-2005-0141 CVE-2005-0142 CVE-2005-0143 CVE-2005-0144 CVE-2005-0146 CVE-2005-0149 CVE-2005-0399 CVE-2005-0401 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0141 multiple mozilla issues CAN-2004-1316 CAN-2005-0142 CAN-2005-0143 CAN-2005-0144 CAN-2004-1380 CAN-2004-1381 CAN-2005-0146 CAN-2005-0147 CAN-2005-0149 CAN-2005-0233 homograph spoofing CAN-2005-0399 mozilla GIF buffer overflow CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Firefox processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0401 to this issue. A bug was found in the way Firefox bookmarks content to the sidebar. If a user can be tricked into bookmarking a malicious web page into the sidebar panel, that page could execute arbitrary programs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0402 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0401 CVE-2005-0402 CAN-2005-0399 firefox GIF buffer overflow CAN-2005-0402 arbitrary code execution via sidebar CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the Thunderbird string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Users of Thunderbird are advised to upgrade to this updated package which contains Thunderbird version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library CAN-2005-0399 thunderbird GIF buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0490 CAN-2005-0490 Multiple stack based buffer overflows in curl cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gdk-pixbuf are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - Files with a size of 2 GB and larger were not entered into the slocate database. - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems). - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 Files > 2 GB are not entered into slocate data base slocate collects .automount files over nfs CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems.) - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. - The default configuration excluded /mnt/floppy, but not /media. - The default configuration did not exclude nfs4 file systems. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 slocate collects .automount files over nfs Incorrect path in /etc/updatedb.conf updatedb indexes nfs4 filesystems CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. A number of security flaws have been found affecting libraries used internally within teTeX. An attacker who has the ability to trick a user into processing a malicious file with teTeX could cause teTeX to crash or possibly execute arbitrary code. A number of integer overflow bugs that affect Xpdf were discovered. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0888 and CAN-2004-1125 to these issues. A number of integer overflow bugs that affect libtiff were discovered. The teTeX package contains an internal copy of libtiff used for parsing TIFF image files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0803, CAN-2004-0804 and CAN-2004-0886 to these issues. Also latex2html is added to package tetex-latex for 64bit platforms. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0804 CVE-2004-0886 CVE-2004-0888 CVE-2004-1125 CAN-2004-0888 xpdf integer overflows CAN-2004-0803 multiple issues in libtiff (CAN-2004-0804 CAN-2004-0886) tetex-latex package missing latex2html CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0758 CVE-2005-0988 CVE-2005-1228 CAN-2005-0758 zgrep has security issue in sed usage CAN-2005-0988 Race condition in gzip CAN-2005-1228 directory traversal bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. An integer overflow flaw was found in PCRE, a Perl-compatible regular expression library included within Exim. A local user could create a maliciously crafted regular expression in such as way that they could gain the privileges of the 'exim' user. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2491 to this issue. These erratum packages change Exim to use the system PCRE library instead of the internal one. These packages also fix a minor flaw where the Exim Monitor was incorrectly computing free space on very large file systems. Users should upgrade to these erratum packages and also ensure they have updated the system PCRE library, for which erratum packages are available seperately in RHSA-2005:761 Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2491 CAN-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to this issue. Additionally, this update addresses the following issues: o Fixed improper limits on filename and command line lengths o Improved PAM access control conforming to EAL certification requirements o Improved reliability when running in a chroot environment o Mail recipient name checking disabled by default, can be re-enabled o Added '-p' "permit all crontabs" option to disable crontab mode checking All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1038 cron fails to run user jobs and gives vague error message CAN-2005-1038 vixie-cron information leak vixie-cron updates for new audit system Cron no longer allows read-only crontabs, enforces write access cron fails with pam_access crontab truncates file names greater than 100 characters. CAN-2005-1038 vixie-cron information leak [PATCH] List corruption when items are removed from /etc/cron.d cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. A buffer overflow bug was found in the way gaim escapes HTML. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0965 to this issue. A bug was found in several of gaim's IRC processing functions. These functions fail to properly remove various markup tags within an IRC message. It is possible that a remote attacker could send a specially crafted message to a Gaim client connected to an IRC server, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0966 to this issue. A bug was found in gaim's Jabber message parser. It is possible for a remote Jabber user to send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0967 to this issue. In addition to these denial of service issues, multiple minor upstream bugfixes are included in this update. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.2.1 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0965 CVE-2005-0966 CVE-2005-0967 CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966) CAN-2005-0967 jabber DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CAN-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CAN-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CAN-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CAN-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CAN-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CAN-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CAN-2005-0529, CAN-2005-0530, CAN-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CAN-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CAN-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CAN-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that Important Copyright 2005 Red Hat, Inc. CVE-2005-0135 CVE-2005-0207 CVE-2005-0210 CVE-2005-0384 CVE-2005-0400 CVE-2005-0449 CVE-2005-0529 CVE-2005-0530 CVE-2005-0531 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CVE-2005-0767 CVE-2005-0815 CVE-2005-0839 CVE-2005-0867 CVE-2005-0977 CVE-2005-1041 CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0135 ia64 local DoS CAN-2005-0207 nfs client O_DIRECT oops CAN-2005-0529 Sign handling issues on v2.6 (CAN-2005-0530 CAN-2005-0531) CAN-2005-0209 netfilter SKB problem CAN-2005-0384 pppd remote DoS CAN-2005-0736 epoll overflow CAN-2005-0767 drm race in radeon CAN-2005-0750 bluetooth security flaw CAN-2005-0400 ext2 mkdir() directory entry random kernel memory leak CAN-2005-0815 isofs range checking flaws CAN-2005-0749 load_elf_library possible DoS CAN-2005-0839 N_MOUSE line discipline flaw CAN-2005-0977 tmpfs truncate bug CAN-2005-0867 sysfs signedness problem CAN-2005-1041 crash while reading /proc/net/route cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet which will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc which can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally the following bugs have been fixed: - snmpwalk no longer hangs when a non-existant pid is listed. - snmpd no longer segfaults due to incorrect handling of lmSensors. - an incorrect assignment leading to invalid values in ASN mibs has been fixed. - on systems running a 64-bit kernel, the values in /proc/net/dev no longer become too large to fit in a 32-bit object. - the net-snmp-devel packages correctly depend on elfutils-libelf-devel. - large file systems are correctly handled - snmp daemon now reports gigabit Ethernet speeds correctly - fixed consistency between IP adresses and hostnames in configuration file All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2177 CVE-2005-1740 CVE-2005-4837 net-snmp-devel should depend on elfutils-libelf-devel snmpd.conf hostname vs. IP inconsistancy 64bit network counters peg instead of wrapping CAN-2005-2177 net-snmp denial of service CAN-2005-1740 net-snmp insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0941 CAN-2005-0941 openoffice.org heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4. Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious 'wc' command on a victim's machine, or trick a victim into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1773 to this issue. A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue. All users of sharutils should upgrade to this updated package, which includes backported fixes to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1772 CVE-2004-1773 CVE-2005-0990 CAN-2004-1772 buffer overflow with -o option CAN-2004-1773 Buffer overflows in unshar CAN-2005-0990 insecure temp file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1111 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc 511278 - needs fix for RHEL 4 on cpio bugzilla 105617 CVE-2005-1111 Race condition in cpio cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 NASM is an 80x86 assembler. Two stack based buffer overflow bugs have been found in nasm. An attacker could create an ASM file in such a way that when compiled by a victim, could execute arbitrary code on their machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1287 and CAN-2005-1194 to these issues. All users of nasm are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1287 CVE-2005-1194 CAN-2004-1287 Bernstein class reports buffer overflow in nasm CAN-2005-1194 Buffer overflow in the ieee_putascii() function cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Vladimir V. Perepelitsa discovered a bug in the way Firefox handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Omar Khan discovered a bug in the way Firefox processes the PLUGINSPAGE tag. It is possible for a malicious web page to trick a user into pressing the "manual install" button for an unknown plugin leading to arbitrary javascript code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0752 to this issue. Doron Rosenberg discovered a bug in the way Firefox displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1153 to this issue. A bug was found in the way Firefox handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1154 to this issue. Michael Krax discovered a bug in the way Firefox handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1155 to this issue. Michael Krax discovered a bug in the way Firefox installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and steal sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1156 and CAN-2005-1157 to these issues. Kohei Yoshino discovered a bug in the way Firefox opens links in its sidebar. A malicious web page could construct a link in such a way that, when clicked on, could execute arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1158 to this issue. A bug was found in the way Firefox validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1159 to this issue. A bug was found in the way the Firefox privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1160 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.3 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0752 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1158 CVE-2005-1159 CVE-2005-1160 CAN-2005-0752 Multiple firefox issues. (CAN-2005-0989) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0143 CAN-2005-0593) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CAN-2005-0142 CAN-2005-0578) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CAN-2005-0586 CAN-2005-0591 CAN-2005-0585 CAN-2005-0590 CAN-2005-0584) A bug was found in the Mozilla javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed, which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CAN-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) Several bugs were found in the Mozilla javascript engine. A malicious web page could leverage these issues to execute javascript with elevated privileges or steal sensitive information. (CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0142 CVE-2005-0143 CVE-2005-0146 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0401 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0590 CVE-2005-0591 CVE-2005-0593 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0142 Opened attachments are temporarily saved world-readable CAN-2005-0143 Secure site lock can be spoofed with a binary download CAN-2005-0146 Synthetic middle-click event can steal clipboard contents CAN-2005-0233 homograph spoofing CAN-2005-0401 Drag and drop loading of privileged XUL CAN-2005-0578 Mozilla issues (CAN-2005-0232 CAN-2005-0527 CAN-2005-0231 CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0588 CAN-2005-0590 CAN-2005-0591 CAN-2005-0593) CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Vladimir V. Perepelitsa discovered a bug in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Doron Rosenberg discovered a bug in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. (CAN-2005-1154) Michael Krax discovered a bug in the way Mozilla handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. (CAN-2005-1155) Michael Krax discovered a bug in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) A bug was found in the way Mozilla validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. (CAN-2005-1159) A bug was found in the way the Mozilla privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. (CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 CVS (Concurrent Version System) is a version control system. A buffer overflow bug was found in the way the CVS client processes version and author information. If a user can be tricked into connecting to a malicious CVS server, an attacker could execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0753 to this issue. Additionally, a bug was found in which CVS freed an invalid pointer. However, this issue does not appear to be exploitable. All users of cvs should upgrade to this updated package, which includes a backported patch to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0753 CAN-2005-0753 multiple issues in cvs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow bug was found in the way HelixPlayer processes RAM files. An attacker could create a specially crafted RAM file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0755 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.4 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0755 CAN-2005-0755 HelixPlayer buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 KDE is a graphical desktop environment for the X Window System. Konqueror is the file manager for the K Desktop Environment. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1046 to this issue. All users of kdelibs should upgrade to these updated packages, which contain a backported security patch to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1046 CAN-2005-1046 PCX file integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet that will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc that can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally, the following bugs have been fixed: - The lmSensors are correctly recognized, snmp deamon no longer segfaults - The larger swap partition sizes are correctly reported - Querying hrSWInstalledLastUpdateTime no longer crashes the snmp deamon - Fixed error building ASN.1 representation - The 64-bit network counters correctly wrap - Large file systems are correctly handled - Snmptrapd initscript correctly reads options from its configuration file /etc/snmp/snmptrapd.options - Snmp deamon no longer crashes when restarted using the agentX protocol - snmp daemon now reports gigabit Ethernet speeds correctly - MAC adresses are shown when requested instead of IP adresses All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1740 CVE-2005-2177 CVE-2005-4837 snmpd dies when getting enterprises.ucdavis.memory.memTotalSwap.0 snmpd exits without a diagnostic: SIGSEGV 64bit network counters peg instead of wrapping /etc/init.d/snmptrapd wrong order in setting variables... x86_64: net-snmp dies when querying hrSWInstalledLastUpdateTime CAN-2005-1740 net-snmp insecure temporary file usage CAN-2005-2177 net-snmp denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow bugs were found in the way X.org parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2495 to this issue. Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2495 CAN-2005-2495 multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is a GNOME-based collection of personal information management (PIM) tools. A bug was found in the way Evolution displays mail messages. It is possible that an attacker could create a specially crafted mail message that when opened by a victim causes Evolution to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0806 to this issue. A bug was also found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. All users of evolution should upgrade to these updated packages, which include backported fixes to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0102 CVE-2005-0806 CAN-2005-0102 Integer overflow in camel-lock-helper CAN-2005-0806 DoS from mail message cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - The security fixes in RHSA-2004-687 to the "unserializer" code introduced some performance issues. - In the gd extension, the "imagecopymerge" function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 PHP pages slow, HTTPD eating cpu php curl open_basedir bypass make PHP oci8 driver support Oracle Instant Client RPM PHP GD ImageCopyMerge broken CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default "safe mode" setting is now "disabled" rather than "enabled"; to match the default /etc/php.ini setting - in the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 Error in configure prevents php SRPM rebuild on x86_64 w/ mssql module CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0546 CAN-2005-0546 multiple buffer overflows in cyrus-imapd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 gFTP is a multi-threaded FTP client for the X Window System. A directory traversal bug was found in gFTP. If a user can be tricked into downloading a file from a malicious ftp server, it is possible to overwrite arbitrary files owned by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to this issue. Users of gftp should upgrade to this updated package, which contains a backported fix for this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0372 CAN-2005-0372 directory traversal issue in gftp cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. An integer overflow flaw was found in libXpm, which is used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. Users of OpenMotif are advised to upgrade to these erratum packages, which contains a backported security patch to the embedded libXpm library. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 CAN-2005-0605 libxpm issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System which can read and write multiple image formats. A heap based buffer overflow bug was found in the way ImageMagick parses PNM files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted PNM file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1275 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-1275 CAN-2005-1275 ImageMagick PNM heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0626 to this issue. Please note that this issue only affected Red Hat Enterprise Linux 4. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0718 to this issue. A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1345 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1519 to this issue. Additionally this update fixes the following bugs: - LDAP Authentication fails with an assertion error when using Red Hat Enterprise Linux 4 Users of Squid should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-1999-0710 CVE-2005-0626 CVE-2005-0718 CVE-2005-1345 CVE-2005-1519 insecure permissions for squid.conf CAN-2005-0626 Cookie leak in squid LDAP Authentication fails with an assertion error. CAN-2005-1345 Unexpected access control results on configuration errors CAN-2005-0718 Segmentation fault on failed PUT/POST request CVE-1999-0710 cachemgr.cgi access control bypass CAN-2005-1519 DNS lookups unreliable on untrusted networks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tcpdump is a command-line tool for monitoring network traffic. Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 to these issues. The tcpdump utility can now write a file larger than 2 GB. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1278 CVE-2005-1279 CVE-2005-1280 tcpdump can't write to a file greater than 2G CAN-2005-1280 Multiple DoS issues in tcpdump (CAN-2005-1279 CAN-2005-1278) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update to Red Hat Enterprise Linux 4. A flaw affecting the auditing code was discovered. On Itanium architectures a local user could use this flaw to cause a denial of service (crash). This issue is rated as having important security impact (CAN-2005-0136). A flaw was discovered in the servicing of a raw device ioctl. A local user who has access to raw devices could use this flaw to write to kernel memory and cause a denial of service or potentially gain privileges. This issue is rated as having moderate security impact (CAN-2005-1264). A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CAN-2005-0209) A flaw in the futex functions was discovered affecting the Linux 2.6 kernel. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0937) New features introduced by this update include: - Fixed TCP BIC congestion handling. - Diskdump support for more controllers (megaraid, SATA) - Device mapper multipath support - AMD64 dual core support. - Intel ICH7 hardware support. There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following device drivers have been upgraded to new versions: ata_piix -------- 1.03 bonding --------- 2.6.1 e1000 ----------- 5.6.10.1-k2-NAPI e100 ------------ 3.3.6-k2-NAPI ibmveth --------- 1.03 libata ---------- 1.02 to 1.10 lpfc ------------ 0:8.0.16 to 0:8.0.16.6_x2 megaraid_mbox --- 2.20.4.0 to 2.20.4.5 megaraid_mm ----- 2.20.2.0-rh1 to 2.20.2.5 sata_nv --------- 0.03 to 0.6 sata_promise ---- 1.00 to 1.01 sata_sil -------- 0.8 sata_sis -------- 0.5 sata_svw -------- 1.05 sata_sx4 -------- 0.7 sata_via -------- 1.0 sata_vsc -------- 1.0 tg3 ------------- 3.22-rh ipw2100 --------- 1.0.3 ipw2200 --------- 1.0.0 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-0136 CVE-2005-0209 CVE-2005-0937 CVE-2005-1264 CVE-2005-3107 PTRACE_ATTACH race with real parent's wait calls can produced bogus wait returns Intolerable Disk I/O Performance under 64-bit VM: fix I/O buffers "waitid(POSIX Interface)" cannot run properly. [PATCH] RHEL4 U1: EFI GPT: reduce alternate header probing lx-choptp19 crashed running 2.4.21-20.EL.BZ131027.hotfixhugemem BLKFLSBUF ioctl can cause other reads x86, x86_64 and IA64 scsi inquiry command hangs in wait_for_completion FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop RHEL4 U2: DBS: quiet warning messages from cpufreq.c [RHEL4][Diskdump] smp_call_function issue [PATCH] "RPC: garbage, exit EIO" when using NFSv3 with Kerberos 5 traced process cannot be killed hugetlb mmap failed in compatibility mode in em64t ext2 and device dm-0 byond 2Terabyte causes /var/log/messages file size to crash system RHEL4 U1: ICH7 Support patch problems with ipsec from rhel3 to rhel4 [PATCH] Channel bonding driver configured in 802.3 ad mode causes kernel panic when shutdwon 20050115 ptrace/kill and ptrace/dump race fixes NLM (NFSv3) problems when mounting with "sec=krb5" SCTP memory consumption and system freezes Thread suspension via async signal fails on rhel4-rc2 oom-killer triggered during Red Hat Cert chipset identifier for zx2 Lockd callbacks to NFS clients fail completely mmap of file over NFS corrupts data host panics when mounting nfs4 volumes host loses connection to nfs server when the server is solaris 20050117 Oopsable NFS locking Thread exits siliently via __RESTORE_ALL exeception for iret kernel thread current->mm dereference in grab_swap_token causes oops unexplained SIGSEGV death in SIGSEGV signal handler CAN-2005-0136 ptrace corner cases on ia64 oops on 2.6.9-5.0.5.ELsmp libata - master supports lba48 but slave does not CAN-2005-1263 Linux kernel ELF core dump privilege elevation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 to these issues. Additionally, the tcpdump utility can now write a file larger than 2 GB, parse some new VLAN IDs, and parse messages on 64bit architectures. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1278 CVE-2005-1279 CVE-2005-1280 [RHEL3] tcpdump not decoding NFS traffic properly on ia64 tcpdump can't write to a file greater than 2G CAN-2005-1280 Multiple DoS issues in tcpdump (CAN-2005-1279 CAN-2005-1278) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1456, CAN-2005-1457, CAN-2005-1458, CAN-2005-1459, CAN-2005-1460, CAN-2005-1461, CAN-2005-1462, CAN-2005-1463, CAN-2005-1464, CAN-2005-1465, CAN-2005-1466, CAN-2005-1467, CAN-2005-1468, CAN-2005-1469, and CAN-2005-1470 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.11 which is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1456 CVE-2005-1457 CVE-2005-1458 CVE-2005-1459 CVE-2005-1460 CVE-2005-1461 CVE-2005-1462 CVE-2005-1463 CVE-2005-1464 CVE-2005-1465 CVE-2005-1466 CVE-2005-1467 CVE-2005-1468 CVE-2005-1469 CVE-2005-1470 multiple ethereal security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. A stack based buffer overflow bug was found in the way gaim processes a message containing a URL. A remote attacker could send a carefully crafted message resulting in the execution of arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1261 to this issue. A bug was found in the way gaim handles malformed MSN messages. A remote attacker could send a carefully crafted MSN message causing gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1262 to this issue. Users of Gaim are advised to upgrade to this updated package which contains backported patches and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1261 CVE-2005-1262 CAN-2005-1261 Gaim long url buffer overflow CAN-2005-1262 Gaim MSN DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GnuTLS library implements Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1) protocols. A denial of service bug was found in the GnuTLS library versions prior to 1.0.25. A remote attacker could perform a carefully crafted TLS handshake against a service that uses the GnuTLS library causing the service to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1431 to this issue. All users of GnuTLS are advised to upgrade to these updated packages and to restart any services which use GnuTLS. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1431 CAN-2005-1431 gnutls record packet parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1409 and CAN-2005-1410 to these issues. Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Red Hat Enterprise Linux 4 users, or http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Red Hat Enterprise Linux 3 users. This update corrects several problems that might occur while trying to upgrade a Red Hat Enterprise Linux 3 installation (containing rh-postgresql packages) to Red Hat Enterprise Linux 4 (containing postgresql packages). These updated packages correctly supersede the rh-postgresql packages. The original release of Red Hat Enterprise Linux 4 failed to initialize the database correctly if started for the first time with SELinux in enforcement mode. This update corrects that problem. If you already have a nonfunctional database in place, shut down the postgresql service if running, install this update, then do "sudo rm -rf /var/lib/pgsql/data" before restarting the postgresql service. This update also solves the problem that the PostgreSQL server might fail to restart after a system reboot, due to a stale lockfile. This update also corrects a problem with wrong error messages in libpq, the postgresql client library. The library would formerly report kernel error messages incorrectly when the locale setting was not C. This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1409 CVE-2005-1410 selinux <<EOF bug breaks PostgreSQL too PostgreSQL server does not start after crash because wrong PID file location upgrade from rhel-3 rh-postgresql to rhel-4 postgresql removes user "postgres" CAN-2005-1409 Multiple postgresql issues (CAN-2005-1410) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several bugs were found in the way Firefox executes javascript code. Javascript executed from a web page should run with a restricted access level, preventing dangerous actions. It is possible that a malicious web page could execute javascript code with elevated privileges, allowing access to protected data and functions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476, CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues. Please note that the effects of CAN-2005-1477 are mitigated by the default setup, which allows only the Mozilla Update site to attempt installation of Firefox extensions. The Mozilla Update site has been modified to prevent this attack from working. If other URLs have been manually added to the whitelist, it may be possible to execute this attack. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.4 which is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CAN-2005-1476 Multiple Firefox issues (CAN-2005-1477 CAN-2005-1531 CAN-2005-1532) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found in the way Mozilla executes javascript code. Javascript executed from a web page should run with a restricted access level, preventing dangerous actions. It is possible that a malicious web page could execute javascript code with elevated privileges, allowing access to protected data and functions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476, CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues. Users of Mozilla are advised to upgrade to this updated package, which contains Mozilla version 1.7.8 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CAN-2005-1476 Multiple Mozilla issues (CAN-2005-1477 CAN-2005-1531 CAN-2005-1532) devhelp not updated for new mozilla cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the three security issues described below as well as an important fix for a problem that could lead to data corruption on x86-architecture SMP systems with greater than 4GB of memory through heavy usage of multi-threaded applications. A flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-1263 to this issue. A flaw in shared memory locking allowed local unprivileged users to lock and unlock regions of shared memory segments they did not own (CAN-2005-0176). A flaw in the locking of SysV IPC shared memory regions allowed local unprivileged users to bypass their RLIMIT_MEMLOCK resource limit (CAN-2004-0491). Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please also consult the RHEL3 Update 5 advisory RHSA-2005:294 for the complete list of features added and bugs fixed in U5, which was released only a week prior to this security update. Important Copyright 2005 Red Hat, Inc. CVE-2004-0491 CVE-2005-0176 CVE-2005-1263 CVE-2004-0491 mlock accounting issue Memory corruption with kernel 2.4.21-27.EL kernel 2.4.21-25.ELsmp panic (kscand) CVE-2005-0176 unlock someone elses ipc memory Kernel panic regression in 2.4.21-27.0.2.ELsmp Page corruption in U5 Beta Memory corruption CVE-2005-1263 Linux kernel ELF core dump crash vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Bzip2 is a data compressor. A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CVE-2005-0953). A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CVE-2005-1260). Users of Bzip2 should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-0758 CVE-2005-0953 CVE-2005-1260 CAN-2005-0953 bzip2 race condition CAN-2005-1260 bzip2 decompression bomb (DoS) CVE-2005-0758 bzgrep has security issue in sed usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CAN-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0975 CVE-2005-0109 CAN-2004-0975 temporary file vulnerabilities in der_chop script CAN-2004-0975 temporary file vulnerabilities in der_chop script CAN-2005-0109 timing attack on OpenSSL with HT cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A denial of service bug was found in the way ImageMagick parses XWD files. A user or program executing ImageMagick to process a malicious XWD file can cause ImageMagick to enter an infinite loop causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1739 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1739 CAN-2005-1739 ImageMagick XWD denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug has been found in SpamAssassin. An attacker could construct a message in such a way that would cause SpamAssassin to consume CPU resources. If a number of these messages were sent it could lead to a denial of service, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1266 to this issue. SpamAssassin version 3.0.4 additionally solves a number of bugs including: - #156390 Spamassassin consumes too much memory during learning - #155423 URI blacklist spam bypass - #147464 Users may now disable subject rewriting - Smarter default Bayes scores - Numerous other bug fixes that improve spam filter accuracy and safety For full details, please refer to the change details of 3.0.2, 3.0.3, and 3.0.4 in SpamAssassin's online documentation at the following address: http://wiki.apache.org/spamassassin/NextRelease Users of SpamAssassin should update to this updated package, containing version 3.0.4 which is not vulnerable to this issue and resolves these bugs. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1266 spamassassin no longer allows disabling subject rewriting spamd generate child processes which occupies all memory CAN-2005-1266 spamassassin DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 gEdit is a small text editor designed specifically for the GNOME GUI desktop. A file name format string vulnerability has been discovered in gEdit. It is possible for an attacker to create a file with a carefully crafted name which, when the file is opened, executes arbitrary instructions on a victim's machine. Although it is unlikely that a user would manually open a file with such a carefully crafted file name, a user could, for example, be tricked into opening such a file from within an email client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1686 to this issue. Users of gEdit should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1686 CAN-2005-1686 filename format string vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. Several integer overflow bugs were found in the way XFree86 parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2495 to this issue. Additionally this update adds the following new features in this release: - Support for ATI RN50/ES1000 chipsets has been added. The following bugs were also fixed in this release: - A problem with the X server's module loading system that led to cache incoherency on the Itanium architecture. - The X server's PCI config space accesses caused contention with the kernel if accesses occurred while the kernel lock was held. - X font server (xfs) crashed when accessing Type 1 fonts via showfont. - A problem with the X transport library prevented X applications from starting if the hostname started with a digit. - An issue where refresh rates were being restricted to 60Hz on some Intel i8xx systems Users of XFree86 should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2495 no refresh > 60 Hz for i810 (xtrans bug) Can't open display: 50dhcp26:0.0 X Font Server crashes when accessing Type 1 fonts via showfont. ia64 elfloader cache flush CAN-2005-2495 multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Sysreport is a utility that gathers information about a system's hardware and configuration. The information can then be used for diagnostic purposes and debugging. When run by the root user, sysreport includes the contents of the /etc/sysconfig/rhn/up2date configuration file. If up2date has been configured to connect to a proxy server that requires an authentication password, that password is included in plain text in the system report. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1760 to this issue. Users of sysreport should update to this erratum package, which contains a patch that removes any proxy authentication passwords. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1760 CAN-2005-1760 sysreport includes proxy password in cleartext cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The telnet package provides a command line telnet client. Gaël Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2005-0488 CAN-2005-0488 telnet Information Disclosure Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tcpdump is a command line tool for monitoring network traffic. A denial of service bug was found in tcpdump during the processing of certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1267 to this issue. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1267 CAN-2005-1267 tcpdump BGP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 MikMod is a well known MOD music file player for UNIX-based systems. A buffer overflow bug was found in mikmod during the processing of archive filenames. An attacker could create a malicious archive that when opened by mikmod could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0427 to this issue. Users of mikmod are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2003-0427 CAN-2003-0427 mikmod flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the second regular kernel update to Red Hat Enterprise Linux 4. New features introduced in this update include: - Audit support - systemtap - kprobes, relayfs - Keyring support - iSCSI Initiator - iscsi_sfnet 4:0.1.11-1 - Device mapper multipath support - Intel dual core support - esb2 chipset support - Increased exec-shield coverage - Dirty page tracking for HA systems - Diskdump -- allow partial diskdumps and directing to swap There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following security bugs were fixed in this update, detailed below with corresponding CAN names available from the Common Vulnerabilities and Exposures project (cve.mitre.org): - flaws in ptrace() syscall handling on 64-bit systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1761, CAN-2005-1762, CAN-2005-1763) - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - a flaw in sendmsg() syscall handling that allowed a local user to cause a denial of service by altering hardware state (CAN-2005-2492) - a flaw that prevented the topdown allocator from allocating mmap areas all the way down to address zero (CAN-2005-1265) - flaws dealing with keyrings that could cause a local denial of service (CAN-2005-2098, CAN-2005-2099) - a flaw in the 4GB split patch that could allow a local denial of service (CAN-2005-2100) - a xattr sharing bug in the ext2 and ext3 file systems that could cause default ACLs to disappear (CAN-2005-2801) - a flaw in the ipt_recent module on 64-bit architectures which could allow a remote denial of service (CAN-2005-2872) The following device drivers have been upgraded to new versions: qla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2xxx --------- 8.00.00b21-k to 8.01.00b5-rh2 qla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2 megaraid_mbox --- 2.20.4.5 to 2.20.4.6 megaraid_mm ----- 2.20.2.5 to 2.20.2.6 lpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17 cciss ----------- 2.6.4 to 2.6.6 ipw2100 --------- 1.0.3 to 1.1.0 tg3 ------------- 3.22-rh to 3.27-rh e100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI e1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI 3c59x ----------- LK1.1.19 mptbase --------- 3.01.16 to 3.02.18 ixgb ------------ 1.0.66 to 1.0.95-k2-NAPI libata ---------- 1.10 to 1.11 sata_via -------- 1.0 to 1.1 sata_ahci ------- 1.00 to 1.01 sata_qstor ------ 0.04 sata_sil -------- 0.8 to 0.9 sata_svw -------- 1.05 to 1.06 s390: crypto ---- 1.31 to 1.57 s390: zfcp ------ s390: CTC-MPC --- s390: dasd ------- s390: cio ------- s390: qeth ------ All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-0756 CVE-2005-1265 CVE-2005-1761 CVE-2005-1762 CVE-2005-1763 CVE-2005-2098 CVE-2005-2099 CVE-2005-2100 CVE-2005-2456 CVE-2005-2490 CVE-2005-2492 CVE-2005-2555 CVE-2005-2801 CVE-2005-2872 CVE-2005-3105 CVE-2005-3274 CVE-2005-3275 CVE-2005-4886 CVE-2006-5871 RHEL4 U1: File Delegation, at least read-only. RHEL4: keyring support (OpenAFS enabler) Inspiron 8500 practically hangs when configuring b44 NIC with 1.5G memory tcsendbreak fails in compat mode RH40-beta1, embedded IDE/PCI drivers not honoring Sub ID's/Class code [PATCH] i2o_block timeout Adaptec 2400A raid card domain validation fails on DVD-305 when CD in drive Terminated threads' resource usage is hidden from procps System doesn't reboot even if kernel.panic is > 0 on RHEL-4 Beta-2. [RHEL4-U2][Diskdump] Partial dump Socket option IP_FREEBIND has no effect on SCTP socket. Socket option SO_BINDTODEVICE problems with SCTP listening socket. Sub-second mtime changes without modifying file [RHEL4RC1] chicony usb keyboard fails, with side effects NFSv3 over Kerberos: gss_get_mic FAILED during xdm login attempt Sense data errors are seen when trying to access a travan tape device Bug / data corruption on error handling in Ext3 under I/O failure condition highmem.c: fix bio error propagation kernel panic when tar'ing data to IDE Tape device nfsv4 callback authentication patch smp_apic_timer_interrupt() executes on kernel thread stack kernel BUG() at pageattr:107 with rmmod e1000 Kernel BUG at pageattr:107 Fusion MPT doesn't handle multiple PCI domains correctly LVM snapshots over md raid1 cause corruption ppc64 arches can crash when single setpping a debugger through syscall return code openipmi drivers missing compat_ioctl's on x86_64 kernel fail to mount nfs4 servers RHEL4 U1 Oracle 10G 10.0.3 aio hang running tpc-c assertion failrue in semaphore.h caused by perfmon spin_lock already locked by xfrm4_output kernel dm-emc: Fix spinlock reset kernel dm-multipath: multiple pg_inits can be issued in parallel CAN-2005-1762 x86_64 sysret exception leads to DoS oops when catting /proc/net/ip_conntrack_expect Debugger killed by kernel when looking at the lowest addressed vmalloc page add fix for IPMI/ACPI OOPS 20050313 SCSI tape security CAN-2005-2801 xattr sharing bug [RHEL4-U2][Diskdump] hangs when SCSI drive is busy [RHEL4-U2] Diskdump - swap partition support Serial console corrupt on boot Systemtap patches to be ported to RHEL4 U2 kernel sysctl -A returns an error [not quite PATCH] tg3 driver crashes kernel with BCM5752 chip, newer driver is OK Serial console turns into garbage after initialising 16550A nfs server intermitently claims ENOENT on existing files or directories CAN-2005-1265 Prevent NULL mmap in topdown model Annoying i2o_config kernel module messages during raidutil run 32-bit GETBLKSIZE ioctl overflows incorrectly on 64-bit hosts. [Patch] modprobling a module signed with a key not known to the kernel can result in a panic. proc and sysctl interface for lockd grace period do not work CAN-2005-1761 local user can use ptrace to crash system [Stratus RHEL4U2] csb5 functions are tagged with __init. This causes a crash in a hot-plug environment RHEL4 Data corruption in spite of using O_SYNC CAN-2005-0756 x86_64 crash (ptrace-check-segment) CAN-2005-1763 x86_64 crash (x86_64-ptrace-overflow) Kernel BUG at pageattr:107 audit: file system and user space filtering by auid audit: teach OOM killer about auditd audit: file system attribute change tracking audit:PATH record mode flags are wrong sometimes audit: file system watch on block device when removing scsi hosts commands are not leaked when removing scsi hosts commands are not leaked audit: kernel audits auditd cable link state ignored on ethernet card (b44). fixes exec-shield to not randomize to between end-of-binary and start-of-brk i2o RAID monitoring memory leak Need export of generic_drop_inode for OCFS2 support 'mt tell' fails - backported kernel bug likely Bluetooth paring did not work anymore since update to 2.6.9-11.EL GET_INDEX macro in aspm pci fixup code can overwrite end of the array kernel panic when rm -rf directory structure on tmpfs filesystem only the main thread is shown by top(1) irq stacks not being used for hardirqs interrupt handlers run on thread's kernel stack JBD race during shutdown of a journal /dev/tty won't open during blocking /dev/ttyS1 open Placeholder for 2.6.x SATA update 20050724-1 Export sys_recvmesg for cluster snapshot fix aio hang when reading beyond EOF RHEL4 [NETFILTER]: Fix deadlock in ip6_queue. [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) pci_scan_device can cause master abort panic while running fsstress to a filesystem on a mirror CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned CAN-2005-2099 Destruction of failed keyring oopses acpi_processor_get_performance_states fails on empty table entries (_PSS) audit - syscall performance mirrors possibly reporting invalid blocks to the filesystem cpufreq driver hangs when using SMP Powernow CAN-2005-2100 4G/4G split bounds checking CAN-2005-2456 IPSEC overflow ext on top of mirror attempts to access beyond end of device: dm-5: rw=0, want=16304032720, limit=20971520 CAN-2005-2555 IPSEC lacks restrictions CAN-2005-2490 sendmsg compat stack overflow CAN-2005-2492 sendmsg DoS bad elf check in module-verify.c [RFC] [RHEL4 U2 patch] dual-core detection gap for i386 build LTC17960-Kernel panic at key_put+0x4/0x19 [REGRESSION] CAN-2005-2872 ipt_recent crash LTC18014-powernow-k8 debug messages are enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow bug was found in the way HelixPlayer processes SMIL files. An attacker could create a specially crafted SMIL file, which when combined with a malicious web server, could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1766 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.5 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1766 CAN-2005-1766 HelixPlayer heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger file transfers. It is possible for a malicious user to send a specially crafted file transfer request that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1269 to this issue. Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim parses MSN Messenger messages. It is possible for a malicious user to send a specially crafted MSN Messenger message that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1934 to this issue. Users of gaim are advised to upgrade to this updated package, which contains version 1.3.1 and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1269 CVE-2005-1934 CAN-2005-1269 Gaim yahoo utf8 crasher CAN-2005-1934 Gaim MSN protocol DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A buffer overflow bug was found in the way FreeRADIUS escapes data in an SQL query. An attacker may be able to crash FreeRADIUS if they cause FreeRADIUS to escape a string containing three or less characters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1454 to this issue. Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is possible that an authenticated user could execute arbitrary SQL queries by sending a specially crafted request to FreeRADIUS. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1455 to this issue. Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1454 CVE-2005-1455 CAN-2005-1454 Multiple issues in freeradius (CAN-2005-1455) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2798 to this issue. Additionally, the following bugs have been addressed: The ssh command incorrectly failed when it was issued by the root user with a non-default group set. The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited. The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases. This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session. All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2798 CVE-2008-1483 sshd update for new audit system CAN-2005-2798 Improper GSSAPI credential delegation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A race condition bug was found in the way sudo handles pathnames. It is possible that a local user with limited sudo access could create a race condition that would allow the execution of arbitrary commands as the root user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1993 to this issue. Users of sudo should update to this updated package, which contains a backported patch and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1993 CAN-2005-1993 sudo trusted user arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way Ruby launched an XMLRPC server. If an XMLRPC server is launched in a certain way, it becomes possible for a remote attacker to execute arbitrary commands within the XMLRPC server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1992 to this issue. Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1992 CAN-2005-1992 ruby arbitrary command execution on XMLRPC server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This includes the core files necessary for both the OpenSSH client and server. A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-2069 to this issue. Additionally, the following issues are resolved with this update: - The -q option of the ssh client did not suppress the banner message sent by the server, which caused errors when used in scripts. - The sshd daemon failed to close the client connection if multiple X clients were forwarded over the connection and the client session exited. - The sftp client leaked memory if used for extended periods. - The sshd daemon called the PAM functions incorrectly if the user was unknown on the system. All users of openssh should upgrade to these updated packages, which contain backported patches and resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-2069 [PATCH] SSH -q flag does not suppress banner text sftp over a persistent connection (days/weeks) develops a memory leak. CAN-2004-2069 openssh DoS issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CAN-2005-1175). Gaël Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CAN-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2004-0175 CVE-2005-0488 CVE-2005-1175 CVE-2005-1689 CAN-2005-0488 telnet Information Disclosure Vulnerability CAN-2005-1689 double-free in krb5_recvauth krb5 krb5_principal_compare NULL pointer crash CAN-2004-0175 malicious rsh server can cause rcp to write to arbitrary files CAN-2005-1175 krb5 buffer overflow in KDC cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. When using the default SELinux "targeted" policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1751 CVE-2005-1921 Incorrect descriptions for php-ncurses and php-gd packages CAN-2005-1751 shtool insecure temporary file creation CAN-2005-1921 PHP PEAR XML_RPC arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CAN-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CAN-2005-1174). Gaël Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CAN-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues. Important Copyright 2007 Red Hat, Inc. CVE-2004-0175 CVE-2005-1174 CVE-2005-1175 CVE-2005-1689 CAN-2005-1174 krb5 buffer overflow, heap corruption in KDC (CAN-2005-1175) CAN-2005-0488 telnet Information Disclosure Vulnerability CAN-2005-1689 double-free in krb5_recvauth krb5 krb5_principal_compare NULL pointer crash CAN-2004-0175 malicious rsh server can cause rcp to write to arbitrary files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Zlib is a general-purpose lossless data compression library which is used by many different programs. Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2 and above. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file which would cause a web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2096 to this issue. Please note that the versions of Zlib as shipped with Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to this issue. All users should update to these erratum packages which contain a patch from Mark Adler which corrects this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2096 CAN-2005-2096 zlib buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-2154 CAN-2004-2154 <Location ...> directive is case-sensitive in cupsd.conf but should not cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue. Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue. Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1268 CVE-2005-2088 Bug 145666 is missing a ',' after REDIRECT_REMOTE_USER CAN-2005-2088 httpd proxy request smuggling CAN-2005-1268 mod_ssl off-by-one cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Zlib is a general-purpose lossless data compression library that is used by many different programs. A previous zlib update, RHSA-2005:569 (CAN-2005-2096) fixed a flaw in zlib that could allow a carefully crafted compressed stream to crash an application. While the original patch corrected the reported overflow, Markus Oberhumer discovered additional ways a stream could trigger an overflow. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file that would cause a Web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1849 to this issue. Note that the versions of zlib shipped with Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to this issue. All users should update to these errata packages that contain a patch from Mark Adler that corrects this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-1849 CAN-2005-1849 zlib buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious JavaScript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Firefox executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Firefox set an image as the desktop wallpaper. If a user chooses the "Set As Wallpaper..." context menu item on a specially crafted image, it is possible for an attacker to execute arbitrary code on a victim's machine. (CAN-2005-2262) A bug was found in the way Firefox installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Firefox handled the _search target. It is possible for a malicious website to inject JavaScript into an already open webpage. (CAN-2005-2264) A bug was found in the way Firefox handled certain Javascript functions. It is possible for a malicious web page to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Firefox handled multiple frame domains. It is possible for a frame as part of a malicious web site to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Firefox handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Firefox opened URLs from media players. If a media player opens a URL that is JavaScript, JavaScript is executed with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Firefox displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Firefox handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious JavaScript. (CAN-2005-2269) A bug was found in the way Firefox cloned base objects. It is possible for Web content to navigate up the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Firefox are advised to upgrade to this updated package that contains Firefox version 1.0.6 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1937 CVE-2005-2114 CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CAN-2005-1937 multiple firefox security issues (CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious Javascript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Mozilla executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Mozilla installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Mozilla handled certain Javascript functions. It is possible for a malicious webpage to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Mozilla handled multiple frame domains. It is possible for a frame as part of a malicious website to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Mozilla handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Mozilla opened URLs from media players. If a media player opens a URL which is Javascript, the Javascript executes with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Mozilla displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Mozilla handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269) A bug was found in the way Mozilla cloned base objects. It is possible for Web content to traverse the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.7.10 and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1937 CVE-2005-2114 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CAN-2005-1937 multiple mozilla issues (CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. A bug was found in the way SquirrelMail handled the $_POST variable. If a user is tricked into visiting a malicious URL, the user's SquirrelMail preferences could be read or modified. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2095 to this issue. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL, or by sending them a carefully constructed HTML email message. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1769 to this issue. All users of SquirrelMail should upgrade to this updated package, which contains backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2095 CVE-2005-1769 CAN-2005-1769 Multiple XSS issues in squirrelmail CAN-2005-2095 squirrelmail cross site posting issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sysreport is a utility that gathers information about a system's hardware and configuration. The information can then be used for diagnostic purposes and debugging. Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2104 to this issue. Users of sysreport should update to this erratum package, which contains a patch that resolves this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2104 CAN-2005-2104 sysreport insecure temporary directory usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird handled anonymous functions during regular expression string replacement. It is possible for a malicious HTML mail to capture a random block of client memory. The Common Vulnerabilities and Exposures project has assigned this bug the name CAN-2005-0989. A bug was found in the way Thunderbird validated several XPInstall related JavaScript objects. A malicious HTML mail could pass other objects to the XPInstall objects, resulting in the JavaScript interpreter jumping to arbitrary locations in memory. (CAN-2005-1159) A bug was found in the way the Thunderbird privileged UI code handled DOM nodes from the content window. An HTML message could install malicious JavaScript code or steal data when a user performs commonplace actions such as clicking a link or opening the context menu. (CAN-2005-1160) A bug was found in the way Thunderbird executed JavaScript code. JavaScript executed from HTML mail should run with a restricted access level, preventing dangerous actions. It is possible that a malicious HTML mail could execute JavaScript code with elevated privileges, allowing access to protected data and functions. (CAN-2005-1532) A bug was found in the way Thunderbird executed Javascript in XBL controls. It is possible for a malicious HTML mail to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Thunderbird handled certain Javascript functions. It is possible for a malicious HTML mail to crash the client by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Thunderbird handled child frames. It is possible for a malicious framed HTML mail to steal sensitive information from its parent frame. (CAN-2005-2266) A bug was found in the way Thunderbird handled DOM node names. It is possible for a malicious HTML mail to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious JavaScript. (CAN-2005-2269) A bug was found in the way Thunderbird cloned base objects. It is possible for HTML content to navigate up the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Thunderbird are advised to upgrade to this updated package that contains Thunderbird version 1.0.6 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270 CAN-2005-0989 multiple thunderbird issues (CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular and freely-available Web server. A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CAN-2005-2728) Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2700 CVE-2005-2728 CAN-2005-2728 byterange memory DoS CAN-2005-2700 SSLVerifyClient flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 kdelibs contains libraries for the K Desktop Environment. A flaw was discovered affecting Kate, the KDE advanced text editor, and Kwrite. Depending on system settings, it may be possible for a local user to read the backup files created by Kate or Kwrite. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1920 to this issue. Please note this issue does not affect Red Hat Enterprise Linux 3 or 2.1. Users of Kate or Kwrite should update to these errata packages which contains a backported patch from the KDE security team correcting this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1920 CAN-2005-1920 Kate backup file permissions leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Gaim is an Internet Messaging client. A heap based buffer overflow issue was discovered in the way Gaim processes away messages. A remote attacker could send a specially crafted away message to a Gaim user logged into AIM or ICQ that could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2103 to this issue. Daniel Atallah discovered a denial of service issue in Gaim. A remote attacker could attempt to upload a file with a specially crafted name to a user logged into AIM or ICQ, causing Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2102 to this issue. A denial of service bug was found in Gaim's Gadu Gadu protocol handler. A remote attacker could send a specially crafted message to a Gaim user logged into Gadu Gadu, causing Gaim to crash. Please note that this issue only affects PPC and IBM S/390 systems running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2370 to this issue. Users of gaim are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2102 CVE-2005-2103 CVE-2005-2370 CAN-2005-2370 gadu gadu memory alignment issue CAN-2005-2102 gaim AIM invalid filename DoS CAN-2005-2103 Gaim malformed away message remote code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdenetwork package contains networking applications for the K Desktop Environment. Kopete is a KDE instant messenger which supports a number of protocols including ICQ, MSN, Yahoo, Jabber, and Gadu-Gadu. Multiple integer overflow flaws were found in the way Kopete processes Gadu-Gadu messages. A remote attacker could send a specially crafted Gadu-Gadu message which would cause Kopete to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1852 to this issue. In order to be affected by this issue, a user would need to have registered with Gadu-Gadu and be signed in to the Gadu-Gadu server in order to receive a malicious message. In addition, Red Hat believes that the Exec-shield technology (enabled by default in Red Hat Enterprise Linux 4) would block attempts to remotely exploit this vulnerability. Note that this issue does not affect Red Hat Enterprise Linux 2.1 or 3. Users of Kopete should update to these packages which contain a patch to correct this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1852 CVE-2005-2369 CVE-2005-2370 CVE-2005-2448 CAN-2005-1852 Kopete gadu-gadu flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Fetchmail is a remote mail retrieval and forwarding utility. A buffer overflow was discovered in fetchmail's POP3 client. A malicious server could cause send a carefully crafted message UID and cause fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2335 to this issue. Users of fetchmail should update to this erratum package which contains a backported patch to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2335 CAN-2005-2335 fetchmail overflow from malicious pop3 server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Binutils is a collection of utilities used for the creation of executable code. A number of bugs were found in various binutils tools. Several integer overflow bugs were found in binutils. If a user is tricked into processing a specially crafted executable with utilities such as readelf, size, strings, objdump, or nm, it may allow the execution of arbitrary code as the user running the utility. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. Additionally, the following bugs have been fixed: -- correct alignment of .tbss section if the requested alignment of .tbss is bigger than requested alignment of .tdata section -- by default issue an error if IA-64 hint@pause instruction is put into the B slot, add assembler command line switch to override this behaviour All users of binutils should upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 gcc produces inadequate alignment for __thread vars CAN-2005-1704 Integer overflow in the Binary File Descriptor (BFD) library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the sixth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - diskdump support on HP Smart Array devices - netconsole/netdump support over bonded interfaces - new chipset and device support via PCI table updates - support for new "oom-kill" and "kscand_work_percent" sysctls - support for dual core processors and ACPI Power Management timers on AMD64 and Intel EM64T systems There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include kswapd, inode handling, the SATA subsystem, diskdump handling, ptrace() syscall support, and signal handling. The following device drivers have been upgraded to new versions: 3w-9xxx ---- 2.24.03.008RH cciss ------ 2.4.58.RH1 e100 ------- 3.4.8-k2 e1000 ------ 6.0.54-k2 emulex ----- 7.3.2 fusion ----- 2.06.16i.01 iscsi ------ 3.6.2.1 ipmi ------- 35.4 lpfcdfc ---- 1.2.1 qlogic ----- 7.05.00-RH1 tg3 -------- 3.27RH The following security bugs were fixed in this update: - a flaw in syscall argument checking on Itanium systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0136) - a flaw in stack expansion that allowed a local user of mlockall() to cause a denial of service (memory exhaustion) (CAN-2005-0179) - a small memory leak in network packet defragmenting that allowed a remote user to cause a denial of service (memory exhaustion) on systems using netfilter (CAN-2005-0210) - flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1762, CAN-2005-2553) - flaws in ISO-9660 file system handling that allowed the mounting of an invalid image on a CD-ROM to cause a denial of service (crash) or potentially execute arbitrary code (CAN-2005-0815) - a flaw in ptrace() syscall handling on Itanium systems that allowed a local user to cause a denial of service (crash) (CAN-2005-1761) - a flaw in the alternate stack switching on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-1767) - race conditions in the ia32-compat support for exec() syscalls on AMD64, Intel EM64T, and Itanium systems that could allow a local user to cause a denial of service (crash) (CAN-2005-1768) - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - flaws in unsupported modules that allowed denial-of-service attacks (crashes) or local privilege escalations on systems using the drm, coda, or moxa modules (CAN-2004-1056, CAN-2005-0124, CAN-2005-0504) - potential leaks of kernel data from jfs and ext2 file system handling (CAN-2004-0181, CAN-2005-0400) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-0181 CVE-2004-1056 CVE-2005-0124 CVE-2005-0136 CVE-2005-0179 CVE-2005-0210 CVE-2005-0400 CVE-2005-0504 CVE-2005-0756 CVE-2005-0815 CVE-2005-1761 CVE-2005-1762 CVE-2005-1767 CVE-2005-1768 CVE-2005-2456 CVE-2005-2490 CVE-2005-2553 CVE-2005-2555 CVE-2005-3273 CVE-2005-3274 Request for enhancement for callback function iostat -x shows infeasible avgqu-sz results and max util LTC3549 - ps wchan broken Existence of race condition in Linux SD driver that leads to a deadlock symbolic links have invalid permissions RHEL3_U4 Data corruption in spite of using O_SYNC System can hang while running multiple instances of fdisk CVE-2004-0181 jfs infoleak microcode_ctl errors with modprobe: Can't locate module char-major-10-184 LUN i not getting registered Opteron gettimeofday granularity problem RHEL3 U6: Diskdump support for Compaq Smart Array Controllers (cciss) iostat -x 1 5 give bogus statistics... RHEL3 U4: need netdump to work with the bonding driver gart errors when using 2.4.21-15.0.3.EL.smp or -9.0.1 on AMD64 quad system [Patch] Simultaneous calls to open() on a usb device hangs the kernel __put_task_struct unresolved when loading externally compiled module char-major-10-184 microcode error with kernel 2.4.21-15.ELhugemem bogus data in /proc/partitions for IDE whole-disk device Extraneous data in option name for scsi_mod gart errors when using 2.4.21-20.EL on HP DL585 CVE-2004-1056 insufficient locking checks in DRM code RHEL3 U5: netdump does not work over bonded interfaces System hangs for 15-45 seconds on RHEL3 / kernel 2.4.21-20.EL "fdisk -l" broken when over 26 EMC Powerpath disks Only 16 EMC powerpath LUNs usable with LVM1 error unmounting /var filesystem while shutdown Potential kernel DOS 'ghosted' autofs shares disappear Unable to umount /var during shutdown process when connected with ssh [PATCH] Stale POSIX flock CVE-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS Kernel panic in shutdown path when iSCSI LUNs are mounted netdump client/server problems Use of bonding driver in mode 5 can cause multicast packet loss high loads / high iowait / up 100% cpu time for kscand on oracle box CVE-2005-0124 Coverity: coda fs flaw CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported) Need openIPMI driver to work with IBM's x336 BMC [PATCH] FEAT: RHEL3 U6: Enable dual-core processors from Intel CVE-2005-0136 ptrace corner cases on ia64 Oracle 8 import of Oracle 9 database can lock system. LTC13257-LTPstress sigaction01 Testcase Ends up Segmentation Fault [PATCH] Kernel panic (EIP is at find_inode) No data avaliable for eth card panic at ia64_leave_kernel [kernel] 0x1 (2.4.21-27.EL) Don't oom kill TASK_UNINTERRUPTIBLE processes e1000 has memory leak when run continuously getting new dhcp leases. Over time, autofs leaks kernel memory in the size-256 slab kernel panic when bringing up and down multiple interfaces simultaneously sk98lin driver drops udp packets 8GB SMP servers appear to hang in VM subsystem under stress CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak CVE-2005-0815 isofs range checking flaws [RHEL3-U6][Diskdump] Backtrace of OS_INIT doesn't work RHEL3 U4 - kswapd/rpciod deadlock [Texas Instruments] nfs bindresvport: Address already in use [RHEL3 U6] diskdump fails with block_order=8 [RHEL3 U6] Diskdump fails if module parameter 'block_order' has too big value Kernel Panics on kernel 2.4.21-27 [LSI Logic] Feature RHEL: Add mpt fusion SAS support, and new PCI IDs [RHEL 3 U6]inode_lock deadlock/race? CVE-2005-3273 ROSE ndigis verification ext3 data corruption under Samba share CVE-2005-1762 x86_64 sysret exception leads to DoS kernel may oops if more than 4k worth of string data returned in /proc/devices [RHEL3] IPv6 Neighbor Cache : RHEL 3.0 does not update the IsRouter flag in the cache entry and improperly remove router from the Default Router List. [RHEL3 U4] The system clock gains much time when netconle is activated. CRM 479318 Unexpected IO-APIC on Opteron system sd _mod doesn't handle removable drives (USB floppy) well PPC64 not setting backchain in signal frames FEAT: RHEL3 U6: cciss driver updates (STOPSHIP) FEAT: RH EL 3 U6: diskdump driver RHEL3 U6: Add 'ht' flag in EM64T /proc/cpuinfo [PATCH] FEAT: RHEL3 U6: Add ICH4L support to kernel (MEDIUM) 529692 - /proc/stat documentation is out of date. RHEL 3 U6: Use of Performance Monitoring Counters based on Model number (x86-64) When an AX100i SP reboot occurs, the Cisco iSCSI driver doesnt log back into array. FEAT RHEL3 U6: Need e1000 driver Update to v.6.0.54 or higher (MUSTFIX) LTC14642-NetDump is too slow to dump...[PATCH] [RFE] [RHEL3 U6]Update 3w-9xxx driver [CRM 511714] bonding and arp ping failure detection attempt to access beyond end of device: ext2 symlink/EA problem Potential kernel panic with stale POSIX locks CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module Updated Qlogic driver is requested in RHEL 3 U6 Update Emulex driver in RHEL 3 U6 Long tape commands (e.g. erase) timeout on dpt_i2o. RHEL 3 configures non-existent SCSI target devices FEAT RHEL3U6: new devices supported by tg3 (STOPSHIP) CVE-2005-0210 dst leak FEAT: [RHEL3 U6] add PCI_VENDOR_ID_NEC to megaraid subsysvid Adding 3pardata to the scsi device whitelist [RHEL3 U4] setsockopt SO_RCVTIMEO call fails from a 32 bit binary running on a x86_64 system [Patch] RHEL3 U6: lower severity of blk: queue xxxx printks (~MF) CVE-2005-1767 x86_64 crashes from context switches on stk-seg-fault stack FEAT: RHEL3 U6: Update e100 driver to later than v.3.4.1 x86_64 kernel stops allocating memory too early when overcommit_memory set to strict RHEL3 U6: ESB2 support (PATA, SATA, USB, SMBUS, LPC, Audio and AHCI) ptrace changes to registers during ia32 syscall tracing stop are lost x86-64 PTRACE_SETOPTIONS does not support most option flags CVE-2005-1761 local user can use ptrace to crash system CVE-2005-1762 x86_64 crash (ptrace-canonical) CVE-2005-0756 x86_64 crash (ptrace-check-segment) Diskdump disk controllers support Fix dangling pointer in acpi_pci_root_add() [RHEL3][PATCH] suppress medum-not-present messages from idefloppy [taroon patch] fix for indefinite postponement under __alloc_pages() Add docs detailing which drivers support netconsole CVE-2005-2553 x86_64 fix for 32-bit ptrace find_target() oops [RHEL3][PATCH] suppress medum-not-present messages from idefloppy CVE-2005-1768 64bit execve() race leads to buffer overflow Memory Leak in autofs The AHCI driver was incorrectly resetting the hardware on error RHEL 3 U5 code base contains duplicate USB ESSENTIAL_REALITY cable link state ignored on ethernet card (b44). accounting of SETITIMER_PROF inaccurate Kernel panic: pci_map_single: high address but no IOMMU. nVidia driver requires upstream page_attr patch CRM 565876: samba-3.0.8pre1-smbmnt.patch to fix smbmount UID wraparound bug for RHEL3 Samba packages superbh function causing a server to crash when Veritas Volume Manager Modules for VxVM 4.0 are loaded. iscsi_sfnet driver does not calculate ConnFailTimeout correctly when greater than 15 secs CRM: 507606 / short freezes on Informix server RHEL3 U5 panic in kmem_cache_grow add SGI scsi devices to list in scsi_scan.c dpt_i2o driver oopses on insmod in U5 Initiator does not retry login on target error when PortalFailover is disabled Placeholder for 2.4.x SATA update 20050723-1 rpm install of -33.EL on ia64 gets unresolved pm_power_off symbol User-mode program run on IA64 AS 3.0 causes system to crash due to invalid stack pointer [RHEL3U6] diskdump - scsi dump fails with module CRC error [RHEL3 U6] Fix to update openipmi drivers for Dell 8G server line (MUSTFIX) CVE-2005-2456 IPSEC overflow LTC14996-IPMI driver is broken on multiple platforms [RHEL3U6] diskdump fails with machine check error on x86_64 Disable FAN processing in Emulex lpfc driver Add Invista to RHEL 3 SCSI Whitelist NFS deadlock when multiple processes creating/deleting a file IBM TapeLibrary 3583 CVE-2005-2555 IPSEC lacks restrictions Kernel crash on 2.4.21-34 base due to kiobuf_init() setting the initialized state when expand_kiobuf() was not called. CVE-2005-2490 sendmsg compat stack overflow cciss, add pci id for P400 [BETA RHEL3 U6] kernel panic while booting numa=off on x86_64 drivers/addon/lpfc/lpfcdfc/Makefile change causing intermittent build failures [RHEL3] cosmetic change to IPMI drivers to update version revision number cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note this issue does not affect the version of Xpdf in Red Hat Enterprise Linux 3 or 2.1. Users of xpdf should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 xpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A flaw was discovered in kpdf. An attacker could construct a carefully crafted PDF file that would cause kpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note this issue does not affect Red Hat Enterprise Linux 3 or 2.1. Users of kpdf should upgrade to these updated packages, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 kpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Binutils is a collection of utilities used for the creation of executable code. A number of bugs were found in various binutils tools. If a user is tricked into processing a specially crafted executable with utilities such as readelf, size, strings, objdump, or nm, it may allow the execution of arbitrary code as the user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. In addition, the following bugs have been fixed: -- by default issue an error if IA-64 hint@pause instruction is put into the B slot, add assembler command line switch to override this behaviour -- fix linker's --emit-relocs with .gnu.warning.* section symbols -- fix gprof on 64-bit ppc binaries and libraries -- fix gas mapping of register names to dwarf2 register numbers in CFI directives All users of binutils should upgrade to this updated package, which contains patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 CAN-2005-1704 Integer overflow in the Binary File Descriptor (BFD) library wrong dwarf register numbers generated cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0448 to this issue. This update also addresses the following issues: -- Perl interpreter caused a segmentation fault when environment changes occurred during runtime. -- Code in lib/FindBin contained a regression that caused problems with MRTG software package. -- Perl incorrectly declared it provides an FCGI interface where it in fact did not. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0448 perl fails "lib/FindBin" test (breaks MRTG) Packing fault with perl and FCGI perl-suidperl package has an extra .1 release suffix CAN-2005-0448 perl File::Path.pm rmtree race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. An insecure temporary file handling bug was found in the mysql_install_db script. It is possible for a local user to create specially crafted files in /tmp which could allow them to execute arbitrary SQL commands during database installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1636 to this issue. These packages update mysql to version 4.1.12, fixing a number of problems. Also, support for SSL-encrypted connections to the database server is now provided. All users of mysql are advised to upgrade to these updated packages. Low Copyright 2005 Red Hat, Inc. CVE-2005-1636 CAN-2005-1636 mysql insecure temporary file creation Parser issue with subqueries involving unions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-2360, CAN-2005-2361, CAN-2005-2362, CAN-2005-2363, CAN-2005-2364, CAN-2005-2365, CAN-2005-2366, and CAN-2005-2367 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.12 which is not vulnerable to these issues. Note: To reduce the risk of future vulnerabilities in Ethereal, the ethereal and tethereal programs in this update have been compiled as Position Independant Executables (PIE) for Red Hat Enterprise Linux 3 and 4. In addition FORTIFY_SOURCE has been enabled for Red Hat Enterprise Linux 4 packages to provide compile time and runtime buffer checks. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2360 CVE-2005-2361 CVE-2005-2362 CVE-2005-2363 CVE-2005-2364 CVE-2005-2365 CVE-2005-2366 CVE-2005-2367 CAN-2005-2360 Multiple ethereal flaws (CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2365 CAN-2005-2366 CAN-2005-2367) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a PDF file, bounds checking was not correctly performed on some fields. This could cause the pdftops filter (running as user "lp") to crash. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2097 to this issue. All users of CUPS should upgrade to these erratum packages, which contain a patch to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 pdf flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gpdf package is an GNOME based viewer for Portable Document Format (PDF) files. Marcus Meissner reported a flaw in gpdf. An attacker could construct a carefully crafted PDF file that would cause gpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note that this issue does not affect the version of gpdf in Red Hat Enterprise Linux 3 or 2.1. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 gpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GDB, the GNU debugger, allows debugging of programs written in C, C++, and other languages by executing them in a controlled fashion, then printing their data. Several integer overflow bugs were found in gdb. If a user is tricked into processing a specially crafted executable file, it may allow the execution of arbitrary code as the user running gdb. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. A bug was found in the way gdb loads .gdbinit files. When a user executes gdb, the local directory is searched for a .gdbinit file which is then loaded. It is possible for a local user to execute arbitrary commands as the victim running gdb by placing a malicious .gdbinit file in a location where gdb may be run. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1705 to this issue. This updated package also addresses the following issues: - GDB on ia64 had previously implemented a bug fix to work-around a kernel problem when creating a core file via gcore. The bug fix caused a significant slow-down of gcore. - GDB on ia64 issued an extraneous warning when gcore was used. - GDB on ia64 could not backtrace over a sigaltstack. - GDB on ia64 could not successfully do an info frame for a signal trampoline. - GDB on AMD64 and Intel EM64T had problems attaching to a 32-bit process. - GDB on AMD64 and Intel EM64T was not properly handling threaded watchpoints. - GDB could not build with gcc4 when -Werror flag was set. - GDB had problems printing inherited members of C++ classes. - A few updates from mainline sources concerning Dwarf2 partial die in cache support, follow-fork support, interrupted syscall support, and DW_OP_piece read support. All users of gdb should upgrade to this updated package, which resolves these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 CVE-2005-1705 CAN-2005-1704 Integer overflow in gdb CAN-2005-1705 gdb arbitrary command execution GDB fails to correctly report frame information cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. A bug was found in the way netpbm converts PostScript files into PBM, PGM or PPM files. An attacker could create a carefully crafted PostScript file in such a way that it could execute arbitrary commands when the file is processed by a victim using pstopnm. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2471 to this issue. All users of netpbm should upgrade to the updated packages, which contain a backported patch to resolve this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2471 CAN-2005-2471 netpbm should use the -dSAFER option when calling Ghostscript cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 VIM (VIsual editor iMproved) is a version of the vi editor. A bug was found in the way VIM processes modelines. If a user with modelines enabled opens a text file with a carefully crafted modeline, arbitrary commands may be executed as the user running VIM. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2368 to this issue. Users of VIM are advised to upgrade to these updated packages, which resolve this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2368 CAN-2005-2368 vim modeline arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2498 to this issue. When using the default SELinux "targeted" policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2498 CAN-2005-2498 PHP PEAR:XMLRPC eval code injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has "ssl start_tls" in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2069 to this issue. A bug was also found in the way certain OpenLDAP authentication schemes store hashed passwords. A remote attacker could re-use a hashed password to gain access to unauthorized resources. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0823 to this issue. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0823 CVE-2005-2069 CAN-2004-0823 openldap hashed password re-use CAN-2005-2069 openldap password disclosure issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 CVS (Concurrent Version System) is a version control system. An insecure temporary file usage was found in the cvsbug program. It is possible that a local user could leverage this issue to execute arbitrary instructions as the user running cvsbug. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2693 to this issue. All users of cvs should upgrade to this updated package, which includes a patch to correct this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2693 CAN-2005-2693 CVS temporary file issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PCRE is a Perl-compatible regular expression library. An integer overflow flaw was found in PCRE, triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2491 to this issue. The security impact of this issue varies depending on the way that applications make use of PCRE. For example, the Apache web server uses the system PCRE library in order to parse regular expressions, but this flaw would only allow a user who already has the ability to write .htaccess files to gain 'apache' privileges. For applications supplied with Red Hat Enterprise Linux, a maximum security impact of moderate has been assigned. Users should update to these erratum packages that contain a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2491 CAN-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the way Squid displays error messages. A remote attacker could submit a request containing an invalid hostname which would result in Squid displaying a previously used error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-2479 to this issue. Two denial of service bugs were found in the way Squid handles malformed requests. A remote attacker could submit a specially crafted request to Squid that would cause the server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-2794 and CAN-2005-2796 to these issues. Please note that CAN-2005-2796 does not affect Red Hat Enterprise Linux 2.1 Users of Squid should upgrade to this updated package that contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CAN-2004-2479 squid information disclosure issue CAN-2005-2794 Multiple squid DoS issues (CAN-2005-2796) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has "ssl start_tls" in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2069 to this issue. A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2641 to this issue. Additionally the following issues are corrected in this erratum. - The OpenLDAP upgrading documentation has been updated. - Fix a database deadlock locking issue. - A fix where slaptest segfaults on exit after successful check. - The library libslapd_db-4.2.so is now located in an architecture-dependent directory. - The LDAP client no longer enters an infinite loop when the server returns a reference to itself. - The pam_ldap module adds the ability to check user passwords using a directory server to PAM-aware applications. - The directory server can now include supplemental information regarding the state of the user's account if a client indicates that it supports such a feature. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2069 CVE-2005-2641 Authconfig update creates a problem with OpenLDAP server CAN-2005-2069 openldap password disclosure issue CAN-2005-2641 pam_ldap policy vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox processes certain international domain names. An attacker could create a specially crafted HTML file, which when viewed by the victim would cause Firefox to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. Users of Firefox are advised to upgrade to this updated package that contains a backported patch and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2871 CAN-2005-2871 Firefox buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla processes certain international domain names. An attacker could create a specially crafted HTML file, which when viewed by the victim would cause Mozilla to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. Users of Mozilla are advised to upgrade to this updated package that contains a backported patch and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2871 CAN-2005-2871 Mozilla buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A bug was found in the way wget writes files to the local disk. If a malicious local user has write access to the directory wget is saving a file into, it is possible to overwrite files that the user running wget has write access to. (CAN-2004-2014) A bug was found in the way wget filters redirection URLs. It is possible for a malicious Web server to overwrite files the user running wget has write access to. Note: in order for this attack to succeed the local DNS would need to resolve ".." to an IP address, which is an unlikely situation. (CAN-2004-1487) A bug was found in the way wget displays HTTP response codes. It is possible that a malicious web server could inject a specially crafted terminal escape sequence capable of misleading the user running wget. (CAN-2004-1488) Users should upgrade to this updated package, which contains a version of wget that is not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1487 CVE-2004-1488 CVE-2004-2014 CAN-2004-1487 Several wget vulnerabilities (CAN-2004-1488) CAN-2004-2014 wget symlink race wget man page incomplete cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A bug was found in the way CUPS processes malformed HTTP requests. It is possible for a remote user capable of connecting to the CUPS daemon to issue a malformed HTTP GET request that causes CUPS to enter an infinite loop. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2874 to this issue. Two small bugs have also been fixed in this update. A signal handling problem has been fixed that could occasionally cause the scheduler to stop when told to reload. A problem with tracking open file descriptors under certain specific circumstances has also been fixed. All users of CUPS should upgrade to these erratum packages, which contain a patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2874 [PATCH] cupsd segfault when SIGCHLD received Cupsd hangs on reading pipe with recycled file descriptor. CAN-2005-2874 Malformed HTTP Request URL denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The mount package contains the mount, umount, swapon and swapoff programs. A bug was found in the way the umount command is executed by normal users. It may be possible for a user to gain elevated privileges if the user is able to execute the "umount -r" command on a mounted file system. The file system will be re-mounted only with the "readonly" flag set, clearing flags such as "nosuid" and "noexec". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2876 to this issue. This update also fixes a hardlink bug in the script command for Red Hat Enterprise Linux 2.1. If a local user places a hardlinked file named "typescript" in a directory they have write access to, the file will be overwritten if the user running script has write permissions to the destination file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1494 to this issue. All users of util-linux and mount should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2876 CVE-2001-1494 CAN-2001-1494 hardlink vulnerability in 'script' command CAN-2005-2876 umount unsafe -r usage CAN-2005-2876 umount unsafe -r usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox processes XBM image files. If a user views a specially crafted XBM file, it becomes possible to execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to this issue. A bug was found in the way Firefox processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Firefox if the user views a specially crafted Unicode sequence. (CAN-2005-2702) A bug was found in the way Firefox makes XMLHttp requests. It is possible that a malicious web page could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of the browser is to disallow this. (CAN-2005-2703) A bug was found in the way Firefox implemented its XBL interface. It may be possible for a malicious web page to create an XBL binding in such a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Firefox 1.0.6 this issue is not directly exploitable and will need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Firefox's JavaScript engine. Under favorable conditions, it may be possible for a malicious web page to execute arbitrary code as the user running Firefox. (CAN-2005-2705) A bug was found in the way Firefox displays about: pages. It is possible for a malicious web page to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Firefox opens new windows. It is possible for a malicious web site to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) A bug was found in the way Firefox processes URLs passed to it on the command line. If a user passes a malformed URL to Firefox, such as clicking on a link in an instant messaging program, it is possible to execute arbitrary commands as the user running Firefox. (CAN-2005-2968) Users of Firefox are advised to upgrade to this updated package that contains Firefox version 1.0.7 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2968 CVE-2005-3089 CAN-2005-2701 Multiple Firefox issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) CAN-2005-2968 Firefox improper command line URL sanitization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2710 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.6 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2629 CVE-2005-2710 CVE-2005-2922 CAN-2005-2710 HelixPlayer Format String Flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla processes XBM image files. If a user views a specially crafted XBM file, it becomes possible to execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to this issue. A bug was found in the way Mozilla processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Mozilla, if the user views a specially crafted Unicode sequence. (CAN-2005-2702) A bug was found in the way Mozilla makes XMLHttp requests. It is possible that a malicious web page could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of the browser is to disallow this. (CAN-2005-2703) A bug was found in the way Mozilla implemented its XBL interface. It may be possible for a malicious web page to create an XBL binding in a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Mozilla 1.7.10 this issue is not directly exploitable and would need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Mozilla's JavaScript engine. Under favorable conditions, it may be possible for a malicious web page to execute arbitrary code as the user running Mozilla. (CAN-2005-2705) A bug was found in the way Mozilla displays about: pages. It is possible for a malicious web page to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Mozilla opens new windows. It is possible for a malicious web site to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) Users of Mozilla are advised to upgrade to this updated package that contains Mozilla version 1.7.12 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-3089 CAN-2005-2701 Multiple Mozilla issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird processes certain international domain names. An attacker could create a specially crafted HTML mail, which when viewed by the victim would cause Thunderbird to crash or possibly execute arbitrary code. Thunderbird as shipped with Red Hat Enterprise Linux 4 must have international domain names enabled by the user in order to be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. A bug was found in the way Thunderbird processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Thunderbird if the user views a specially crafted HTML mail containing Unicode sequences. (CAN-2005-2702) A bug was found in the way Thunderbird makes XMLHttp requests. It is possible that a malicious HTML mail could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of Thunderbird is to disallow such actions. (CAN-2005-2703) A bug was found in the way Thunderbird implemented its XBL interface. It may be possible for a malicious HTML mail to create an XBL binding in such a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Thunderbird 1.0.6 this issue is not directly exploitable and will need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Thunderbird's JavaScript engine. Under favorable conditions, it may be possible for a malicious mail message to execute arbitrary code as the user running Thunderbird. Please note that JavaScript support is disabled by default in Thunderbird. (CAN-2005-2705) A bug was found in the way Thunderbird displays about: pages. It is possible for a malicious HTML mail to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Thunderbird opens new windows. It is possible for a malicious HTML mail to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) A bug was found in the way Thunderbird processes URLs passed to it on the command line. If a user passes a malformed URL to Thunderbird, such as clicking on a link in an instant messaging program, it is possible to execute arbitrary commands as the user running Thunderbird. (CAN-2005-2968) Users of Thunderbird are advised to upgrade to this updated package, which contains Thunderbird version 1.0.7 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2871 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2968 CAN-2005-2871 Firefox buffer overflow affects thunderbird CAN-2005-2701 Multiple Firefox issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. A bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). The usage of uninitialised variables in the pnmtopng code allows an attacker to change stack contents when converting to PNG files with pnmtopng using the '-trans' option. This may allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2978 to this issue. All users of netpbm should upgrade to the updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2978 CAN-2005-2978 Crash running pnmtopng -trans on some pnm files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way ruby handles eval statements. It is possible for a malicious script to call eval in such a way that can allow the bypass of certain safe-level restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2337 to this issue. Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2337 CAN-2005-2337 ruby safe-level mode bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2969 to this issue. A bug was also fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in RHSA-2005-476 which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0109 to this issue. Users are advised to upgrade to these updated packages, which remove the MISE 3.0.2 work-around and contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2969 CVE-2005-0109 CAN-2005-2969 Potential SSL 2.0 Rollback CAN-2005-0109 DSA signing not quite constant time cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage via which an attacker can construct a NIFF image with a very long embedded image title. This image can cause a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-3178 to this issue. All users of xloadimage should upgrade to this erratum package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-3178 CAN-2005-3178 xloadimage NIFF buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Lynx is a text-based Web browser. Ulf Härnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2005-3120 CAN-2005-3120 lynx buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM's unix_chkpwd helper program validates user passwords when SELinux is enabled. Under normal circumstances, it is not possible for a local non-root user to verify the password of another local user with the unix_chkpwd command. A patch applied that adds SELinux functionality makes it possible for a local user to use brute force password guessing techniques against other local user accounts. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to this issue. All users of pam should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2977 CVE-2005-2977 unix_chkpwd helper doesn't verify requesting user if SELinux is enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. A stack based buffer overflow bug was found in cURL's NTLM authentication module. It is possible to execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3185 CAN-2005-3185 NTLM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. An issue was discovered that affects how page attributes are changed by the kernel. Video drivers, which sometimes map kernel pages with a different caching policy than write-back, are now expected to function correctly. This change affects the x86, AMD64, and Intel EM64T architectures. In addition the following security bugs were fixed: The set_mempolicy system call did not check for negative numbers in the policy field. An unprivileged local user could use this flaw to cause a denial of service (system panic). (CVE-2005-3053) A flaw in ioremap handling on AMD 64 and Intel EM64T systems. An unprivileged local user could use this flaw to cause a denial of service or minor information leak. (CVE-2005-3108) A race condition in the ebtables netfilter module. On a SMP system that is operating under a heavy load this flaw may allow remote attackers to cause a denial of service (crash). (CVE-2005-3110) A memory leak was found in key handling. An unprivileged local user could use this flaw to cause a denial of service. (CVE-2005-3119) A flaw in the Orinoco wireless driver. On systems running the vulnerable drive, a remote attacker could send carefully crafted packets which would divulge the contents of uninitialized kernel memory. (CVE-2005-3180) A memory leak was found in the audit system. An unprivileged local user could use this flaw to cause a denial of service. (CVE-2005-3181) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-3053 CVE-2005-3108 CVE-2005-3110 CVE-2005-3119 CVE-2005-3180 CVE-2005-3181 RHEL4 (IPF): Support for Additional function in Intel's Monticeto processor (HW) RHEL4: Infiniband support RHEL4 U2: SATA ATAPI support (including ESB2) sym driver creates voluminous /var/log/messages entries FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop spin loops on both ia32 and ia32e need cpu_relax bonding mode=6 + dhcp doesn't work correctly ia32 apps that are not large file aware can access files >= 4GB SMART support in SATA driver (P1) qlogic fabric rediscovery functionality missing On few Nocona based platforms, acpi-cpufreq driver assumes the wrong CPU freq at boot time RHEL 4 Kernel does not provide ACL support over NFS Amanda hangs on backup in case of ip_conntrack_amanda is used (RHEL4) large usb flash drive require reboot to mount more than once umount fails on nfs server side when nfs client does heavy io Unisys' x86_64 ES7000 loses legacy devices during boot when using latest ES7000 platform code Writing large file to 1TB ext3 volume sometimes very slow SCTP memory consumption, additional fixes Missing SHUTDOWN notification with SCTP stream socket [RHEL4-U3] PCI Hotplug - Slot powered off after enabling ES7000 systems won't boot with large configuration CVE-2004-1190 Continued raw access issues Diskdump fails through ipr driver USB Key stops working after upgrade to U1 dangling POSIX locks after close Oracle Hangs with directio and aio using NFS sysfs_remove_dir() de-references NULL pointer RHEL4 Panics at smp_apic_timer_interrupt Problem with b44: SIOCSIFFLAGS: Cannot allocate memory read() with count > 0xffffffff panics kernel at fs/direct-io.c:886 [RHEL4] 'getpriority/setpriority' broken with PRIO_USER, who=0 io_cancel doesn't work properly Assertion failure in log_do_checkpoint request backport of fc transport class HBA port_id for dm-multipath Kernel PANIC - not syncing: fatal exception qetharp 'Operation not supported' on non-layer2 guestlan PANIC at rpc_wake_up_status Bug in IPv6 address adding error path Bonding driver fails to switch to backup link Bugs in kernel key managment syscall interface Bad order for release_region in error exit from i810_probe CVE-2005-2458 gzip/zlib flaws acct does not have Large File Support 2.6: /sbin/service iptables stop hangs on modprobe -r ipt_state NFS/RPC - timestamp conversion is wrong rpmbuild --rebuild glibc-2.3.4-2.12.src.rpm hangs (same problem with glibc-2.3.4-2.9.src.rpm) Erratic behaviour when system fd limit reached mount/umount can cause the block device reads to fail [RHEL4 U1] OOPS removing ahci driver [RHEL4 U1] Bonding driver does not switch to backup interface upon active interface failure under heavy UDP traffic NFSv3 locking misses important kernel patches RHEL4 Panic in __wake_up_common (networking) Multicast domain membership doesn't follow bonding failover RHEL4 __copy_user breaks on unaligned src RHEL4 U2 performance regression running enterprise workload CVE-2005-2800 SCSI proc DoS FEAT RHEL4 U3: 10GigE Neterion Driver Update (S2io) [RHEL4] hangcheck-timer not compiled in RHEL4 on IA64 SCTP association restart problem, possible backport ipmi_poweroff driver update for Dell <8G servers [RHEL4 U1][diskdump] Diskdump from OS_INIT fails. autofs removes leading path components of /net mounts on timeout FEAT: [RHEL4 U3] kernel dm: Statistic information about dm devices (*) CVE-2005-3044 lost fput and sockfd_put could lead to DoS wait() and waitpid() return inconsistencies under high load CVE-2005-3276 sys_get_thread_area minor info leak [FEAT:][RHEL 4 U3]LVM2 Snapshot support of root CVE-2005-2709 More sysctl flaws [Texas Instruments] nfs bindresvport: Address already in use CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open oops in gss_pipe_release() ls hangs on krb5 mountd when user has not kinit-ed NFS client oops when debugging is on CRM648268: kernel reporting init process cutime as very large negative value CVE-2005-3106 exec_mmap race DoS Cache invalidation bug in nfs v3 Bad: kernel panic on boot (kernel-2.6.9-22.EL) kernel_lock() problem through NFS mount iSCSI connection recovery uses session address instead of portal address device-mapper mirroring backwards compatibility issue Neterion(S2io) adapter not functional after running offline diagnostics CVE-2005-3109 HFS oops Kernel oops killing process with open files on a NFS3 krb5 mount after /var/lib/nfs/rpc_pipefs has been unmounted FEAT RHEL4 U3 [diskdump]: kernel - support compressing dump data USB: khubd deadlock on error path Kernel key management facility improvements nfsd: clear signals before exiting the nfsd() thread linux-2.6.13-key-reiserfs.patch is incomplete Can't reboot on IBM xSeries 236. rhel4 modules loading signing issue rename(2) onto an empty directory fails on NFS file systems Large LUNS can't be seen with Hitachi Open-L SAN Difficulty with some iSCSI targets in iscsi_sfnet netpoll can dereference a null pointer, causing a system crash [RHEL4] tuxstat SIGSEGV kernel dm: dm-ioctl memory leak on attempt to load non-existing mapping autofs doesn't remount if nfs server is unreachable at expire time kernel dm: DM_LIST_VERSIONS_CMD ioctl reponse truncated kernel dm: Notify userspace when a device is renamed. kernel dm-log: big endian 64-bit corruption kernel dm-log: Make mirror log arch-independent kernel dm: move bdget outside lockfs kernel dm: Make lock_fs optional. kernel dm snapshot: Separate out metadata reading. kernel dm snapshot: Load metadata on table creation not resumption. kernel dm snapshot: Reduce PF_MEMALLOC usage kernel dm multipath: Fix do_end_io locking. race condition when expiring ghosted autofs mounts kernel dm snapshot: bio_list_merge fix Fix for SystemTap bugzilla #1345 - return probe on do_execve unable to create sgi_sn/ptc_statistics" printed to the console Further key management facility improvements Permit key management to request already running process to instantiate a key kernel bug at mm/prio_tree.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-3241, CVE-2005-3242, CVE-2005-3243, CVE-2005-3244, CVE-2005-3245, CVE-2005-3246, CVE-2005-3247, CVE-2005-3248, CVE-2005-3249, and CVE-2005-3184 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.13 and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184 CVE-2005-3241 Multiple ethereal issues (CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2976 to this issue. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gdk-pixbuf are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3186 CVE-2005-2976 CVE-2005-2975 CVE-2005-3186 XPM buffer overflow CVE-2005-2975 Multiple XPM processing issues (CVE-2005-2976) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way gtk2 processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an infinite-loop denial of service bug in the way gtk2 processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gtk2 are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3186 CVE-2005-2975 CVE-2005-3186 XPM buffer overflow CVE-2005-2975 gtk2 XPM DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A stack based buffer overflow bug was found in the wget implementation of NTLM authentication. An attacker could execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue. All users of wget are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-3185 CVE-2005-3185 NTLM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The lm_sensors package includes a collection of modules for general SMBus access and hardware monitoring. This package requires special support which is not in standard version 2.2 kernels. A bug was found in the way the pwmconfig tool creates temporary files. It is possible that a local attacker could leverage this flaw to overwrite arbitrary files located on the system. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2672 to this issue. Users of lm_sensors are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2672 CVE-2005-2672 lm_sensors pwmconfig insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-2974 and CVE-2005-3350 to these issues. All users of libungif are advised to upgrade to these updated packages, which contain backported patches that resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2974 CVE-2005-3350 CVE-2005-2974 Several libungif issues (CVE-2005-3350) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. OpenSSL 0.9.6b libraries are provided for Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy applications. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) This issue was reported as not affecting OpenSSL versions prior to 0.9.6c, and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as shipped as a compatibility library with Red Hat Enterprise Linux 3 and 4 did not crash. However, an alternative reproducer has been written which shows that this issue does affect versions of OpenSSL prior to 0.9.6c. Note that Red Hat does not ship any applications with Red Hat Enterprise Linux 3 or 4 that use these compatibility libraries. Users of the OpenSSL096b compatibility package are advised to upgrade to these updated packages, which contain a patch provided by the OpenSSL group that protect against this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0079 CVE-2004-0079 OpenSSL remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3353 CVE-2005-3388 CVE-2005-3389 CVE-2005-3390 CVE-2005-3390 PHP register globals arbitrary code execution CVE-2005-3389 PHP parse_str can enable register_globals CVE-2005-3388 PHP phpinfo() XSS attack CVE-2005-3353 PHP exif data DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Lynx is a text-based Web browser. An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2929 CVE-2005-2929 lynx arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of Xpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Red Hat would like to thank Derek B. Noonburg for reporting this issue and providing a patch. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The netpbm package contains a library of functions that support programs for handling various graphics file formats. A stack based buffer overflow bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). A specially crafted PNM file could allow an attacker to execute arbitrary code by attempting to convert a PNM file to a PNG file when using pnmtopng with the '-text' option. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3632 to this issue. An "off by one" bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). If a victim attempts to convert a specially crafted 256 color PNM file to a PNG file, then it can cause the pnmtopng utility to crash. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3662 to this issue. All users of netpbm should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3632 CVE-2005-3662 CVE-2005-3662 netpbm off by one error CVE-2005-3632 Netpbm buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 C-client is a common API for accessing mailboxes. A buffer overflow flaw was discovered in the way C-client parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2933 CVE-2005-2933 imap buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the way the c-client library parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2933 CVE-2005-2933 imap buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2008 Red Hat, Inc. CVE-2005-3631 CVE-2005-3631 /dev/input/* incorrect permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gpdf package is a GNOME based viewer for Portable Document Format (PDF) files. Several flaws were discovered in gpdf. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. Several flaws were discovered in kpdf. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user's machine if the user can be tricked into executing curl with a carefully crafted URL. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-4077 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-4077 CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Several flaws were discovered in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. All users of CUPS should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3962 bits/resource.ph has syntax errors (libperl) could not run system-config-printer getgrnam() crashes with "Out of memory" if /etc/group contains long lines CVE-2005-3962 Perl integer overflow issue MakeMaker::MM_Unix doesn't honor LD_RUN_PATH requirements missing C standard headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0976 CVE-2005-0448 CVE-2005-3962 [RFE] Need new perl rpm release that fixes threaded memory leak Perl's 'study' function breaks regexp matching CVE-2004-0976 temporary file vulnerabilities in Perl Apparent utf8 bug in Perl's join() garbage after split() Man::Pod does not return true CVE-2005-0448 perl File::Path.pm rmtree race condition Broken POSIX in perl-5.8.0 'split'/'index' problem for utf8 perl bug # 22372: SIGSEGV in sv_chop() bits/resource.ph has syntax errors (libperl) could not run system-config-printer CVE-2005-3962 Perl integer overflow issue Cannot set undef timeout in perl 5.8.0 IO::Socket cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The initscripts package contains the basic system scripts used to boot your Red Hat system, change runlevels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3629 to this issue. The following issues have also been fixed in this update: * extraneous characters were logged on bootup. * fsck would be attempted on filesystems marked with _netdev in rc.sysinit before they were available. Additionally, support for multi-core Itanium processors has been added to redhat-support-check. All users of initscripts should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3629 Automount of the emcpower device fails if fsck is enabled for the device in /etc/fstab. Bogus messages in system log (/var/log/messages) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The initscripts package contains the basic system scripts used to boot your Red Hat system, change runlevels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-3629 to this issue. The following issues have also been fixed in this update: * extraneous characters were logged on bootup * fsck was attempted on file systems marked with _netdev in rc.sysinit before they were available * the dynamically-linked /sbin/multipath was called instead of the correct /sbin/multiplath.static Additionally, this update includes support for partitioned multipath devices and a technology preview of static IP over InifiniBand. All users of initscripts should upgrade to this updated package, which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3629 RHEL4: Infiniband support rc.sysinit call dynamicly linked multipath rather than multipath.static Bogus messages in system log (/var/log/messages) Automount of the emcpower device fails if fsck is enabled for the device in /etc/fstab. CVE-2005-3629 root shell can be gained from service if ran through sudo cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. The following issue has also been fixed in this update: * If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice. Additionally, this update implements auditing of user logins through the system audit service. All users of openssh should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-0225 CVE-2006-0225 local to local copy uses shell expansion twice init script kills all running sshd's if listening server is stopped add audit message to sshd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way squid processes certain NTLM authentication requests. A remote attacker could send a specially crafted NTLM authentication request which would cause the Squid server to crash. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2917 to this issue. Several bugs have also been addressed in this update: * An error introduced in 2.5.STABLE3-6.3E.14 where Squid can crash if a user visits a site which has a long DNS record. * Some authentication helpers were missing needed setuid rights. * Squid couldn't handle a reply from a HTTP server when the reply began with the new-line character or wasn't HTTP/1.0 or HTTP/1.1 compliant. * User-defined error pages were not kept when the squid package was upgraded. All users of squid should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2917 Error pages should not be replaced by updates Squid doesn't handle headers split across packets Squid blocks page served by broken server Squid dies with signal 6 and restarts and dies ... Error in script /usr/lib/squid/wbinfo_group.pl pam authentication fails One translated Polish language error is missing preventing squid from startup CVE-2005-2917 Squid malformed NTLM authentication DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way squid processes certain NTLM authentication requests. It is possible for a remote attacker to crash the Squid server by sending a specially crafted NTLM authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2917 to this issue. The following issues have also been fixed in this update: * An error introduced in squid-2.5.STABLE6-3.4E.12 can crash Squid when a user visits a site that has a bit longer DNS record. * An error introduced in the old package prevented Squid from returning correct information about large file systems. The new package is compiled with the IDENT lookup support so that users who want to use it do not have to recompile it. * Some authentication helpers needed SETUID rights but did not have them. If administrators wanted to use cache administrator, they had to change the SETUID bit manually. The updated package sets this bit so the new package can be updated without manual intervention from administrators. * Squid could not handle a reply from an HTTP server when the reply began with the new-line character. * An issue was discovered when a reply from an HTTP server was not HTTP 1.0 or 1.1 compliant. * The updated package keeps user-defined error pages when the package is updated and it adds new ones. All users of squid should upgrade to this updated package, which resolves these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2917 squid child processes exit with signal 6.. squid crashes pam authentication fails CVE-2005-2917 Squid malformed NTLM authentication DoS Squid blocks page served by broken server Error pages should not be replaced by updates One translated Polish language error is missing preventing squid from startup Squid doesn't handle headers split across packets cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2002-2185 CVE-2004-1190 CVE-2005-2458 CVE-2005-2709 CVE-2005-2800 CVE-2005-3044 CVE-2005-3106 CVE-2005-3109 CVE-2005-3276 CVE-2005-3356 CVE-2005-3358 CVE-2005-3784 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2004-1190 Continued raw access issues CVE-2005-2458 gzip/zlib flaws CVE-2005-2800 SCSI proc DoS CVE-2005-3044 lost fput and sockfd_put could lead to DoS CVE-2005-3276 sys_get_thread_area minor info leak CVE-2005-2709 More sysctl flaws CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open CVE-2005-3106 exec_mmap race DoS CVE-2005-3109 HFS oops [RHEL4] CVE-2005-3784 auto-reap DoS CVE-2005-3806 ipv6 DOS [RHEL4] CVE-2005-3857 lease printk DoS CVE-2005-3858 ip6_input_finish DoS CVE-2005-3848 dst_entry leak DoS CVE-2002-2185 IGMP DoS CVE-2005-3358 panic caused by bad args to set_mempolicy CVE-2005-4605 Kernel memory disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1038 to this issue. This update also fixes an issue where cron jobs could start before their scheduled time. All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-1038 [RHEL-3] cronjobs start too early CVE-2005-1038 vixie-cron information leak prediction: vixie-cron-4.1's pam_unix session log messages will be most unpopular network service interruption can cause initgroups() to delay cron job execution by more than one minute cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug was found in SpamAssassin. An attacker could construct a message in such a way that would cause SpamAssassin to crash. If a number of these messages are sent, it could lead to a denial of service, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-3351 to this issue. The following issues have also been fixed in this update: * service spamassassin restart sometimes fails * Content Boundary "--" throws off message parser * sa-learn: massive memory usage on large messages * High memory usage with many newlines * service spamassassin messages not translated * Numerous other bug fixes that improve spam filter accuracy and safety Users of SpamAssassin should upgrade to this updated package containing version 3.0.5, which is not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3351 CVE-2005-3351 Upgrade to spamassassin-3.0.5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the third regular kernel update to Red Hat Enterprise Linux 4. New features introduced in this update include: - Open InfiniBand (OpenIB) support - Serial Attached SCSI support - NFS access control lists, asynchronous I/O - IA64 multi-core support and sgi updates - Large SMP CPU limits increased using the largesmp kernel: Up to 512 CPUs in ia64, 128 in ppc64, and 64 in AMD64 and Intel EM64T - Improved read-ahead performance - Common Internet File System (CIFS) update - Error Detection and Correction (EDAC) modules - Unisys support There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following security bug was fixed in this update: - dm-crypt did not clear a structure before freeing it, which could allow local users to discover information about cryptographic keys (CVE-2006-0095) The following device drivers have been upgraded to new versions: cciss: 2.6.8 to 2.6.8-rh1 ipmi_devintf: 33.4 to 33.11 ipmi_msghandler: 33.4 to 33.11 ipmi_poweroff: 33.4 to 33.11 ipmi_si: 33.4 to 33.11 ipmi_watchdog: 33.4 to 33.11 mptbase: 3.02.18 to 3.02.60.01rh e1000: 6.0.54-k2-NAPI to 6.1.16-k2-NAPI ixgb: 1.0.95-k2-NAPI to 1.0.100-k2-NAPI tg3: 3.27-rh to 3.43-rh aacraid: 1.1.2-lk2 to 1.1-5[2412] ahci: 1.01 to 1.2 ata_piix: 1.03 to 1.05 iscsi_sfnet: 4:0.1.11-1 to 4:0.1.11-2 libata: 1.11 to 1.20 qla2100: 8.01.00b5-rh2 to 8.01.02-d3 qla2200: 8.01.00b5-rh2 to 8.01.02-d3 qla2300: 8.01.00b5-rh2 to 8.01.02-d3 qla2322: 8.01.00b5-rh2 to 8.01.02-d3 qla2xxx: 8.01.00b5-rh2 to 8.01.02-d3 qla6312: 8.01.00b5-rh2 to 8.01.02-d3 sata_nv: 0.6 to 0.8 sata_promise: 1.01 to 1.03 sata_svw: 1.06 to 1.07 sata_sx4: 0.7 to 0.8 sata_vsc: 1.0 to 1.1 cifs: 1.20 to 1.34 Added drivers: bnx2: 1.4.25 dell_rbu: 0.7 hangcheck-timer: 0.9.0 ib_mthca: 0.06 megaraid_sas: 00.00.02.00 qla2400: 8.01.02-d3 typhoon: 1.5.7 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-0095 RHEL4 (IPF): Support for Additional function in Intel's Monticeto processor (HW) RHEL4: Infiniband support RHEL4 U2: SATA ATAPI support (including ESB2) sym driver creates voluminous /var/log/messages entries FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop spin loops on both ia32 and ia32e need cpu_relax bonding mode=6 + dhcp doesn't work correctly ia32 apps that are not large file aware can access files >= 4GB SMART support in SATA driver (P1) qlogic fabric rediscovery functionality missing On few Nocona based platforms, acpi-cpufreq driver assumes the wrong CPU freq at boot time RHEL 4 Kernel does not provide ACL support over NFS Amanda hangs on backup in case of ip_conntrack_amanda is used (RHEL4) large usb flash drive require reboot to mount more than once umount fails on nfs server side when nfs client does heavy io Unisys' x86_64 ES7000 loses legacy devices during boot when using latest ES7000 platform code Writing large file to 1TB ext3 volume sometimes very slow SCTP memory consumption, additional fixes Missing SHUTDOWN notification with SCTP stream socket [RHEL4-U3] PCI Hotplug - Slot powered off after enabling ES7000 systems won't boot with large configuration Diskdump fails through ipr driver USB Key stops working after upgrade to U1 dangling POSIX locks after close Assertion failure in journal_commit_transaction() at fs/jbd/commit.c:790: "jh->b_next_transaction == ((void *)0)" Oracle Hangs with directio and aio using NFS sysfs_remove_dir() de-references NULL pointer RHEL4 Panics at smp_apic_timer_interrupt Problem with b44: SIOCSIFFLAGS: Cannot allocate memory read() with count > 0xffffffff panics kernel at fs/direct-io.c:886 [RHEL4] 'getpriority/setpriority' broken with PRIO_USER, who=0 io_cancel doesn't work properly System occasionally experienced system hangs. Assertion failure in log_do_checkpoint request backport of fc transport class HBA port_id for dm-multipath Kernel PANIC - not syncing: fatal exception qetharp 'Operation not supported' on non-layer2 guestlan PANIC at rpc_wake_up_status Bug in IPv6 address adding error path Bonding driver fails to switch to backup link Bugs in kernel key managment syscall interface Bad order for release_region in error exit from i810_probe acct does not have Large File Support 2.6: /sbin/service iptables stop hangs on modprobe -r ipt_state NFS/RPC - timestamp conversion is wrong rpmbuild --rebuild glibc-2.3.4-2.12.src.rpm hangs (same problem with glibc-2.3.4-2.9.src.rpm) Erratic behaviour when system fd limit reached 2.6.9-16.ELsmp null pointer dereference in __bounce_end_io_read on x86_64 mount/umount can cause the block device reads to fail [RHEL4 U1] OOPS removing ahci driver [RHEL4 U1] Bonding driver does not switch to backup interface upon active interface failure under heavy UDP traffic NFSv3 locking misses important kernel patches RHEL4 Panic in __wake_up_common (networking) Multicast domain membership doesn't follow bonding failover RHEL4 __copy_user breaks on unaligned src RHEL4 U2 performance regression running enterprise workload FEAT RHEL4 U3: 10GigE Neterion Driver Update (S2io) [RHEL4] hangcheck-timer not compiled in RHEL4 on IA64 SCTP association restart problem, possible backport ipmi_poweroff driver update for Dell <8G servers [RHEL4 U1][diskdump] Diskdump from OS_INIT fails. autofs removes leading path components of /net mounts on timeout FEAT: [RHEL4 U3] kernel dm: Statistic information about dm devices (*) wait() and waitpid() return inconsistencies under high load [FEAT:][RHEL 4 U3]LVM2 Snapshot support of root [Texas Instruments] nfs bindresvport: Address already in use oops in gss_pipe_release() ls hangs on krb5 mountd when user has not kinit-ed NFS client oops when debugging is on CRM648268: kernel reporting init process cutime as very large negative value Cache invalidation bug in nfs v3 Bad: kernel panic on boot (kernel-2.6.9-22.EL) kernel_lock() problem through NFS mount iSCSI connection recovery uses session address instead of portal address device-mapper mirroring backwards compatibility issue Neterion(S2io) adapter not functional after running offline diagnostics RHEL 4 Update 2 Incompatibility with VMware ESX 2.5.2 Marvell Yukon 88E8050 ethernet interface not supported Kernel oops killing process with open files on a NFS3 krb5 mount after /var/lib/nfs/rpc_pipefs has been unmounted FEAT RHEL4 U3 [diskdump]: kernel - support compressing dump data USB: khubd deadlock on error path Kernel key management facility improvements nfsd: clear signals before exiting the nfsd() thread linux-2.6.13-key-reiserfs.patch is incomplete Can't reboot on IBM xSeries 236. rhel4 u2 - Null pointer dereference in alc880_auto_fill_dac_nids rhel4 modules loading signing issue rename(2) onto an empty directory fails on NFS file systems Large LUNS can't be seen with Hitachi Open-L SAN No analog audio with the "Intel Corporation Enterprise Southbridge High Definition Audio (rev 08)" Difficulty with some iSCSI targets in iscsi_sfnet netpoll can dereference a null pointer, causing a system crash [RHEL4] tuxstat SIGSEGV NMI watchdog panic during cache_alloc_refill with corrupt size-128 slabcache kernel dm: dm-ioctl memory leak on attempt to load non-existing mapping Lock at "Initializing hardware... storage network" caused by ULi HD Audio controller enabled. autofs doesn't remount if nfs server is unreachable at expire time kernel dm: DM_LIST_VERSIONS_CMD ioctl reponse truncated kernel dm: Notify userspace when a device is renamed. kernel dm-log: big endian 64-bit corruption kernel dm-log: Make mirror log arch-independent kernel dm: move bdget outside lockfs kernel dm: Make lock_fs optional. kernel dm snapshot: Separate out metadata reading. kernel dm snapshot: Load metadata on table creation not resumption. kernel dm snapshot: Reduce PF_MEMALLOC usage kernel dm multipath: Fix do_end_io locking. race condition when expiring ghosted autofs mounts kernel dm snapshot: bio_list_merge fix Fix for SystemTap bugzilla #1345 - return probe on do_execve unable to create sgi_sn/ptc_statistics" printed to the console Further key management facility improvements Permit key management to request already running process to instantiate a key GFS deadlock - gfs_write (do_write_direct) and gfs_setattr (do_truncate) kernel bug at mm/prio_tree.c SCSI errors with latest qlogic driver Provide support for more than 8 logical processors System became unresponsive to local commands. Diskdump overwrite by SATA update Audit fails to record syscall failures when asked to via auditctl [audit][PATCH] New user space message types broken U3 modsyms autofs doesn't attempt to remount failed mount points Kernel panic. Server hangs and is totally unresponsive until a power cycle brings it back online. setxattr() to a file on NFS returns EIO hang-check timer needs to be build on S390/S390x broken memsets in s390 drivers. device-mapper mirror log: avoid overrun while syncing CVE-2006-0095 dm-crypt key leak Please consider upping NR_CPUS to 16 for x86_64 Early panic in "io_apic_get_unique_id" on 4CPU, dual-core HT enabled EM64T System Kernel panic while running NFS ACL test Add aic94xx and sas code into RHEL4 U3 Largesmp kernel does not see all logical CPUs on IBM x460 kernel device-mapper snapshot: barriers are not supported AIM7 File Server Performance -15% relative to U2 BIOS bug shows the wrong number of CPUs CPU's being incorrectly numbered /proc/cpuinfo shows wrong value SCSI LLDD's oops on rmmod if devices scan w/ PQ=3 lvremove panic in dm_mod:kcopyd_client_destroy while attempting to remove a snapshot NPTL: under xterm -e process receives SIGHUP when child thread exits kabi violation in multi-core detection patch device-mapper mirror removal stuck on kcopyd_client_destroy (pvmove hangs) RHEL4 U3 "noht" boot parameter sometimes disables dual core support as well as ht support cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw in remap_page_range() with O_DIRECT writes that allowed a local user to cause a denial of service (crash) (CVE-2004-1057, important) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708, important) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973, important) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180, important) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2002-2185 CVE-2004-1057 CVE-2005-2708 CVE-2005-2709 CVE-2005-2973 CVE-2005-3044 CVE-2005-3180 CVE-2005-3275 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2004-1057 VM_IO refcount issue CVE-2005-2708 user code panics kernel in exec.c CVE-2005-3044 lost fput could lead to DoS CVE-2005-2709 More sysctl flaws CVE-2005-3180 orinoco driver information leakage CVE-2005-2973 ipv6 infinite loop CVE-2005-3275 NAT DoS CVE-2005-3806 ipv6 DOS CVE-2005-3857 lease printk DoS CVE-2005-3858 ip6_input_finish DoS CVE-2005-3848 dst_entry leak DoS CVE-2002-2185 IGMP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the seventh regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - addition of the bnx2, dell_rbu, and megaraid_sas device drivers - support for multi-core, multi-threaded Intel Itanium processors - upgrade of the SATA subsystem to include ATAPI and SMART support - optional tuning via the new numa_memory_allocator, arp_announce, and printk_ratelimit sysctls There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the VM subsystem, NPTL handling, autofs4, the USB subsystem, CPU enumeration, and 32-bit-exec-mode handling on 64-bit architectures. The following device drivers have been upgraded to new versions: aacraid -------- 1.1.5-2412 bnx2 ----------- 1.4.30 (new) dell_rbu ------- 2.1 (new) e1000 ---------- 6.1.16-k3 emulex --------- 7.3.3 fusion --------- 2.06.16.02 ipmi ----------- 35.11 megaraid2 ------ v2.10.10.1 megaraid_sas --- 00.00.02.00 (new) tg3 ------------ 3.43RH The following security bugs were fixed in this update: - a flaw in gzip/zlib handling internal to the kernel that allowed a local user to cause a denial of service (crash) (CVE-2005-2458,low) - a flaw in ext3 EA/ACL handling of attribute sharing that allowed a local user to gain privileges (CVE-2005-2801, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-2458 CVE-2005-2801 CVE-2005-3276 CVE-2005-4798 pppd receives error "Couldn't get channel number: bad address" RHEL3 U5: Support for SATA features of ICH6R (for U3, AHCI only) RHEL3 U3: ICH6 SATA support in ACHI mode RHEL3 U6: SATA ATAPI support (HW) kernel's Makefile not suited for long directory paths RHEL3 U4: SATA AHCI (ICH6) kernel panic when repeatedly accessing /proc/bus/usb/devices and hot-swapping usb device Processes with Large memory requirment causes swap usage with free memory is present. kernel kills db2 processes because of OOM error on RHEL Update2 and Update3 RHEL3 U7: Add SMART capabilities to libata. Hugepages configured on kernel boot line causes x86_64 kernel boot to fail with OOM. oops when "scsi add-single-device" sent to /proc/scsi/scsi using aic79xx [RHEL3 U3] kernel BUG at exit.c:620! LTC18371- [RHEL3 U4]cpu_sibling_map[] is incorrect on x445/x440 'noht' does not work for ia32e Cannot disable hyperthreading on x86_64 platform autofs removes leading path components of /net mounts on timeout LTC12369-In RHEL 3 U4 -- top command gave segmentation fault Viper: install kernel panics on DP system with 4GB all on cpu#2 [RHEL3] poll() seems to ignore large timeout SMART support in SATA driver pl2303 kernel module doesn't work with 'Aten UC-232A' O_DIRECT to sparse areas of files give incomplete writes Can't install RHEL3 on system with Adaptec AAR 1210SA SATA controller (sata_sil - siimage problem) RHEL3 U5: rhgb-client shows illegal instruction and fails. aacraid driver in RHEL 3 U4 em64t causes kernel panic megaraid2 driver causes panic if loaded for a second time Crash on relocated automounts with --bind System crash when dump or tar 64k blocksize to tape from raid LTC13414-32-bit ping6 on 64-bit kernel not working [RHEL3 U5] fails to boot installer on multiple platforms FEAT: RHEL3 U5: need hint@pause in ia64 spinloops FEAT RHEL3 U7 IPF - performance improvement for the system which CPEI occur continuously. RHEL 3 U6: Support for cache identification through 'Deterministic Cache Parameters' [cpuid(4)] [ CRM 488904 ] driver update for Adaptec 2410SA needed (1.1.5-2361 > 1.1.5-2371 or higher) RHEL3 does not support USBDEVFS 32-bit ioctls on x86_64 Advanced server 3 ARP timeout messages RSS limited to 1.8GB if process pinned to one CPU [RHEL3] Does not boot on system with ACPI table crossing page boundary [RHEL 3 U5] adding hotplug drive causes kernel panic [RHEL3] vi --- files getting deleted agpgart will not load for kernel 2.4.21-32 on tyan S2885 motherboard with AMD-8151 agp tunnel Keyboard "jammed" during smp runlevel 5 boot on IBM HS20-8843 BladeServer [RHEL3] hidden bomb of kmap_atomic/kunmap_atomic bug? CVE-2005-2801 Lost ACLs on ext3 Reproducable panic in mdadm multipathing Sometimes data/bss can be executable xserver issue on blade center Race condition accessing PCI config space autofs doesn't remount if nfs server is unreachable at expire time aacraid driver hangs if Adaptec 2230SLP array not optimal st causes system hang and kernel panic when writing to tape on x86_64 Problem with b44: SIOCSIFFLAGS: Cannot allocate memory (VM) Excessive swapping when free memory is ample [RHEL3 and RHEL2.1] ps command core dump LTC8356-LSB runtime testcase T.c_oflag_X failed [PATCH] Endless loop printing traceback during kernel OOPs Explain why the SCSI inquiry is not being returned from the sd for nearly 5 minutes [RHEL3] change_page_attr may set _PAGE_NX for kernel code pages LTC13178-panic on i5 - sys_ppc32.c 32 bit sys_recvmsg corrupting kernel data structures RHEL3U5 x86-64 : xw9300 & numa=on swaps behaviour is unexpected FEAT: RHEL3 U6: ia64 multi-core and multi-threading detection [RHEL3] [x86_64/ia64] sys_time and sys_gettimeofday disagree U5 beta encounters NMI watchdog on Celestica Quartet with 4 Opteron 875 dualcores [RHEL3 U5] __wtd_down_from_wakeup not in EL3 ia64 tree LTC12403-CMVC482920:I/O errors caused by eeh error injection-drive unavailable NFS lockd deadlock /usr/src/linux-2.4.21-32.EL/Documentation/networking/e100.txt contians bad info RHEL 3 - request to add bnx2 driver acct does not have Large File Support FEAT RHEL3U7: Need Intel e1000 driver update for the Dell Ophir/Rimon based PCI-E NICs SMP kernel does not honor boot parameter "noht" [RHEL3] The system hangs when SysRq + c is pressed Panic after ENXIO with usb-uhci Problem removing a USB device CVE-2005-2458 gzip/zlib flaws Inquiry (sg) command hang after a write to tape with mptscsi driver The msync(MS_SYNC) call should fail after cable pulled from scsi disk HA NFS Cluster Problem cciss disk dump hangs if module is ever unloaded/reloaded Erratic behaviour when system fd limit reached aacraid driver needs to be updated to support IBM ServeRAID 8i aacraid driver needs to be updated to support IBM ServeRAID 8i CRM619504: setrlimit RLIMIT_FSIZE limited to 32-bit values, even on 64-bit kernels [RHEL3 U5] waitpid() returns unexpected ECHILD RHEL3: need updated forcedeth.o driver? CRM648268: kernel reporting init process cutime as very large negative value FEAT RHEL3 U7: Need 'bnx2' driver inclusion to support Broadcom 5708C B0 NIC and 5708S BO LOM FEAT RHEL3 U7: LSI megaraid_sas driver Potential netconsole regression in transmit path LTC17567-Fields 'system_potential_processor' and 'partition_max_entiteled_capacity' fields are missing from lparcfg file FEAT RHEL3 U7: ipmi driver speedup patch FEAT RHEL3 U7: ipmi_poweroff driver update for Dell <8G servers Large O_DIRECT write will hang system (MPT fusion) kill -6 of multi-threaded application takes 30 minutes to finish FEAT RHEL3-U7: Support for HT1000 IDE chipset needed RHEL3 U7: x86_64: Remove unique APIC/IO-APIC ID check RH EL 3 U7: add support for Broadcom 5714 and 5715C NICs FEAT RHEL3 U7: add dell_rbu driver for Dell BIOS updates FEAT RHEL3 U7: Need TG3 update to support Broadcom 5721 C1 stepping kernel BUG at page_alloc.c:391! CVE-2005-3276 sys_get_thread_area minor info leak RHEL3U7: ipmi driver fix for PE2650 LSI MegaRAID RHEL3 Feature - Updated SCSI driver submission CVE-2005-4798 nfs client: handle long symlinks properly [RHEL3 U6] __copy_user/memcpy causes random kernel panic on IA-64 systems CRM# 685278 scsi scan not seeing all luns when one lun removed [RHEL3] 'getpriority/setpriority' broken with PRIO_USER, who=0 [RHEL3 U5] Performance problem while extracting tarballs on Fujitsu Siemens Computing D1409, Adaptec S30 array, connected to an aacraid controller. LTC18779-Lost dirty bit in kernel memory managment [PATCH] RHEL-3: 'physical id' field in /proc/cpuinfo incorrect on AMD-64 hosts [RHEL3 U5] Kernel crashing, multiple panics in aacraid driver [RHEL3 U7] netdump hangs in processing of CPU stop after diskdump failed. LTC17955-82222: Support for Serverworks chipset HT2000 Ethernet Driver (BCM5700 & TG3) Broadcom 5706/5708 support System Stops responding with "queue 6 full" messages RedHat / XW9300 / system panic when logout from GNOME with USB mouse LTC18818-pfault interupt race rename(2) onto an empty directory fails on NFS file systems Invalid message 'Aieee!!! Remote IRR still set after unlock' Updated header file with modified author permissions New icache prune export Update Emulex lpfc driver for RHEL 3 Assertion failed! idx >= ARRAY_SIZE(xfer_mode_str),libata-core.c,ata_dev_set_mode,line=1673 [RHEL3 U6] IOs hang in __wait_on_buffer when segments > 170 Multicast domain membership doesn't follow bonding failover LTC19816-Cannot see a concho adapter on U7 kernel [RHEL3 U7 PATCH] LSI PCI Express chips to operate properly [RHEL3 U7] x86-64: Can't boot with 16 logical processors Installer appears to hang when loading mptbase module x366 NMI error logged in infinite loop - [crm#769552] Possible regression U7 beta CRM 724200: when an active USB serial port device is removed, the system panics and locks up. autofs doesn't attempt to remount failed mount points negative dentry caching causes long delay when dentry becomes valid RHEL3U7Beta-32: Booting/Installing with SATA ATAPI Optical panics cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. Two denial of service bugs were found in Ethereal's IRC and GTP protocol dissectors. Ethereal could crash or stop responding if it reads a malformed IRC or GTP packet off the network. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2005-3313 and CVE-2005-4585 to these issues. A buffer overflow bug was found in Ethereal's OSPF protocol dissector. Ethereal could crash or execute arbitrary code if it reads a malformed OSPF packet off the network. (CVE-2005-3651) Users of ethereal should upgrade to these updated packages containing version 0.10.14, which is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-3313 CVE-2005-3651 CVE-2005-4585 CVE-2005-3313 Ethereal IRC dissector DoS CVE-2005-4585 ethereal GTP dissector could go into an infinite loop CVE-2005-3651 ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular and freely-available Web server. A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357) Users of httpd should update to these erratum packages which contain backported patches to correct these issues along with some additional bugs. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2970 CVE-2005-3352 CVE-2005-3357 mod_ssl per-directory renegotiation with request body CVE-2005-2970 httpd worker MPM memory consumption DoS CVE-2005-3352 cross-site scripting flaw in mod_imap CVE-2005-3357 mod_ssl crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Several flaws were discovered in the teTeX PDF parsing library. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3628) [RHEL4] CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. All users of CUPS should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2006 Red Hat, Inc. CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. This issue does not affect the mod_auth_pgsql package supplied with Red Hat Enterprise Linux 2.1. Red Hat would like to thank iDefense for reporting this issue. Critical Copyright 2006 Red Hat, Inc. CVE-2005-3656 CVE-2005-3656 mod_auth_pgsql format string issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 gpdf is a GNOME based viewer for Portable Document Format (PDF) files. Chris Evans discovered several flaws in the way gpdf processes PDF files. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Important Copyright 2006 Red Hat, Inc. CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 [RHEL4] CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick's "display" command. It is possible to execute arbitrary commands by tricking a user into running "display" on a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-4601 to this issue. A format string flaw was discovered in the way ImageMagick handles filenames. It may be possible to execute arbitrary commands by tricking a user into running a carefully crafted ImageMagick command. (CVE-2006-0082) Users of ImageMagick should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-4601 CVE-2006-0082 CVE-2005-4601 ImageMagick display command shell command injection CVE-2006-0082 ImageMagick format string vulnerability. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 kdelibs contains libraries for the K Desktop Environment (KDE). A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. NOTE: this issue does not affect KDE in Red Hat Enterprise Linux 3 or 2.1. Users of KDE should upgrade to these updated packages, which contain a backported patch from the KDE security team correcting this issue as well as two bug fixes. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0019 kdegraphics applications crash when Open or Save dialog is opened CVE-2006-0019 kjs encodeuri/decodeuri heap overflow vulnerability pwMutex destroy failure: Device or resource busy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Several buffer overflow flaws were found in the way gd allocates memory. An attacker could create a carefully crafted image that could execute arbitrary code if opened by a victim using a program linked against the gd library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2004-0941 CVE-2004-0941 additional overflows in gd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. In 2002, a path traversal flaw was found in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access (CVE-2002-0399). Red Hat included a backported security patch to correct this issue in Red Hat Enterprise Linux 3, and an erratum for Red Hat Enterprise Linux 2.1 users was issued. During internal testing, we discovered that our backported security patch contained an incorrect optimization and therefore was not sufficient to completely correct this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue. Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. Low Copyright 2006 Red Hat, Inc. CVE-2005-1918 CVE-2005-1918 tar archive path traversal issue CVE-2005-1918 tar archive path traversal issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. An integer overflow flaw was found in Python's PCRE library that could be triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2491 to this issue. Users of Python should upgrade to these updated packages, which contain a backported patch that is not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2491 CVE-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's Javascript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary javascript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time the next time it is run. (CVE-2005-4134) Note that the Red Hat Enterprise Linux 3 packages also fix a bug when using XSLT to transform documents. Passing DOM Nodes as parameters to functions expecting an xsl:param could cause Mozilla to throw an exception. Users of Mozilla are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 CVE-2005-4134 Very long topic history.dat DoS CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's Javascript interpreter derefernces objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Firefox to execute arbitrary javascript when a user runs Firefox. (CVE-2006-0296) A denial of service bug was found in the way Firefox saves history information. If a user visits a web page with a very long title, it is possible Firefox will crash or take a very long time the next time it is run. (CVE-2005-4134) This update also fixes a bug when using XSLT to transform documents. Passing DOM Nodes as parameters to functions expecting an xsl:param could cause Firefox to throw an exception. Users of Firefox are advised to upgrade to this updated package, which contains backported patches to correct these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 CVE-2005-4134 Very long topic history.dat DoS CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. A heap based buffer overflow bug was discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of Xpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Red Hat would like to thank Dirk Mueller for reporting this issue and providing a patch. Important Copyright 2008 Red Hat, Inc. CVE-2006-0301 CVE-2006-0301 PDF splash handling heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw in handling of UTF8 character encodings was found in Mailman. An attacker could send a carefully crafted email message to a mailing list run by Mailman which would cause that particular mailing list to stop working. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3573 to this issue. A flaw in date handling was found in Mailman version 2.1.4 through 2.1.6. An attacker could send a carefully crafted email message to a mailing list run by Mailman which would cause the Mailman server to crash. (CVE-2005-4153). Users of Mailman should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3573 CVE-2005-4153 CVE-2005-3573 Mailman Denial of Service CVE-2005-4153 Mailman DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-0481 to this issue. Please note that the vunerable libpng function is only used by TeTeX and XEmacs on Red Hat Enterprise Linux 4. All users of libpng are advised to update to these updated packages which contain a backported patch that is not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0481 CVE-2006-0481 libpng heap based buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A heap based buffer overflow bug was discovered in kpdf. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0301 CVE-2006-0301 PDF splash handling heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. In Red Hat Enterprise Linux 4, the GNU TLS library is only used by the Evolution client when connecting to an Exchange server or when publishing calendar information to a WebDAV server. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0645 CVE-2006-0645 GnuTLS x509 DER DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Jim Meyering discovered a buffer overflow bug in the way GNU tar extracts malformed archives. By tricking a user into extracting a malicious tar archive, it is possible to execute arbitrary code as the user running tar. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0300 to this issue. Users of tar should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0300 CVE-2006-0300 GNU tar heap overlfow bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a PDF file viewer. Marcelo Ricardo Leitner discovered that a kpdf security fix, CVE-2005-3627, was incomplete. Red Hat issued kdegraphics packages with this incomplete fix in RHSA-2005:868. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0746 to this issue. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0746 CVE-2006-0746 kpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw in the handling of asynchronous signals was discovered in Sendmail. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0058 to this issue. By default on Red Hat Enterprise Linux 3 and 4, Sendmail is configured to only accept connections from the local host. Therefore, only users who have configured Sendmail to listen to remote hosts would be able to be remotely exploited by this vulnerability. Users of Sendmail are advised to upgrade to these erratum packages, which contain a backported patch from the Sendmail team to correct this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2006-0058 CVE-2006-0058 Sendmail race condition issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, giving the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0049 CVE-2006-0455 initial gpg run doesn't create .gnupg/secring.gpg RHEL3, gnupg-1.2.1-10, gpg: Creates corrupt files (probably 2GB problem) CVE-2006-0455 gpg will quietly exit when attempting to verify a malformed message CVE-2006-0049 Gnupg incorrect malformed message verification cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel and includes racoon, an IKEv1 keying daemon. A denial of service flaw was found in the ipsec-tools racoon daemon. If a victim's machine has racoon configured in a non-recommended insecure manner, it is possible for a remote attacker to crash the racoon daemon. (CVE-2005-3732) Users of ipsec-tools should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3732 CVE-2005-3732 ipsec-tools IKE DoS CVE-2005-3732 ipsec-tools IKE DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-1354 CVE-2005-4744 CVE-2005-4744 Multiple freeradius security issues CVE-2006-1354 FreeRADIUS authentication bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. A number of buffer overflow flaws were discovered in OpenMotif's libUil library. It is possible for an attacker to execute arbitrary code as a victim who has been tricked into executing a program linked against OpenMotif, which then loads a malicious User Interface Language (UIL) file. (CVE-2005-3964) Users of OpenMotif are advised to upgrade to these erratum packages, which contain a backported security patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-3964 CVE-2005-3964 openmotif libUil buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the "html_entity_decode()" function with untrusted input from the user and displayed the result. (CVE-2006-1490) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) An input validation error was found in the "mb_send_mail()" function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the "mb_send_mail()" function where the "To" parameter can be controlled by the attacker. (CVE-2005-3883) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933). Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2003-1303 CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 PEAR::DB autoExecute function does not work when updating with WHERE clause CVE-2005-3883 PHP mb_send_mail() header parsing issue CVE-2005-2933 imap buffer overflow CVE-2006-0208 PHP Cross Site Scripting (XSS) flaw ImageCreateFromGif does not clean up its temporary file CVE-2006-1490 PHP memory disclosure issue CVE-2006-0996 phpinfo() XSS issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Dia drawing program is designed to draw various types of diagrams. infamous41md discovered three buffer overflow bugs in Dia's xfig file format importer. If an attacker is able to trick a Dia user into opening a carefully crafted xfig file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-1550) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-1550 CVE-2006-1550 Dia multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. A bug was found in the way SquirrelMail presents the right frame to the user. If a user can be tricked into opening a carefully crafted URL, it is possible to present the user with arbitrary HTML data. (CVE-2006-0188) A bug was found in the way SquirrelMail filters incoming HTML email. It is possible to cause a victim's web browser to request remote content by opening a HTML email while running a web browser that processes certain types of invalid style sheets. Only Internet Explorer is known to process such malformed style sheets. (CVE-2006-0195) A bug was found in the way SquirrelMail processes a request to select an IMAP mailbox. If a user can be tricked into opening a carefully crafted URL, it is possible to execute arbitrary IMAP commands as the user viewing their mail with SquirrelMail. (CVE-2006-0377) Users of SquirrelMail are advised to upgrade to this updated package, which contains SquirrelMail version 1.4.6 and is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0188 CVE-2006-0195 CVE-2006-0377 CVE-2006-0188 Possible XSS through right_frame parameter in webmail.php CVE-2006-0195 Possible XSS in MagicHTML (IE only) CVE-2006-0377 IMAP injection in sqimap_mailbox_select mailbox parameter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. (CVE-2006-0225) The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386) The following issues have also been fixed in this update: * If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice. * When privilege separation was enabled, the last login message was printed only for the root user. * The sshd daemon was sending messages to the system log from a signal handler when debug logging was enabled. This could cause a deadlock of the user's connection. All users of openssh should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-0225 CVE-2003-0386 CVE-2003-0386 host based access bypass init script kills all running sshd's if listening server is stopped CVE-2006-0225 local to local copy uses shell expansion twice I can't see "Last login" message after logged via ssh cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several bugs were found in the way Firefox processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Firefox processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Firefox processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Firefox. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Firefox displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Firefox allows javascript mutation events on "input" form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) Users of Firefox are advised to upgrade to these updated packages containing Firefox version 1.0.8 which corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0748 CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-0749 Firefox Tag Order Vulnerability CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)) CVE-2006-1740 Secure-site spoof (requires security warning dialog) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-1724 Crashes with evidence of memory corruption (1.5.0.2) CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1729 File stealing by changing input type CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-0748 Table Rebuilding Code Execution Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found in the way Mozilla processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Mozilla processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Mozilla processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Mozilla. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Mozilla displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Mozilla allows javascript mutation events on "input" form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) A bug was found in the way Mozilla executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of "chrome". (CVE-2006-0884) Users of Mozilla are advised to upgrade to these updated packages containing Mozilla version 1.7.13 which corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) CVE-2006-1740 Secure-site spoof (requires security warning dialog) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-0884 JavaScript execution in mail when forwarding in-line CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1729 File stealing by changing input type CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-0748 Table Rebuilding Code Execution Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several bugs were found in the way Thunderbird processes malformed javascript. A malicious HTML mail message could modify the content of a different open HTML mail message, possibly stealing sensitive information or conducting a cross-site scripting attack. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Thunderbird processes certain javascript actions. A malicious HTML mail message could execute arbitrary javascript instructions with the permissions of 'chrome', allowing the page to steal sensitive information or install browser malware. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Thunderbird processes malformed HTML mail messages. A carefully crafted malicious HTML mail message could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Thunderbird processes certain inline content in HTML mail messages. It may be possible for a remote attacker to send a carefully crafted mail message to the victim, which will fetch remote content, even if Thunderbird is configured not to fetch remote content. (CVE-2006-1045) A bug was found in the way Thunderbird executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of "chrome". (CVE-2006-0884) Users of Thunderbird are advised to upgrade to these updated packages containing Thunderbird version 1.0.8, which is not vulnerable to these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0292 CVE-2006-0296 CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1045 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-1724 Crashes with evidence of memory corruption (1.5.0.2) CVE-2006-0884 JavaScript execution in mail when forwarding in-line CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-1045 Mail Multiple Information Disclosure CVE-2006-0748 Table Rebuilding Code Execution Vulnerability CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The elfutils packages that originally shipped with Red Hat Enterprise Linux 4 were GPL-licensed versions which lacked some functionality. Previous updates provided fully functional versions of elfutils only under the OSL license. This update provides a fully functional, GPL-licensed version of elfutils. In the OSL-licensed elfutils versions provided in previous updates, some tools could sometimes crash when given corrupted input files. (CVE-2005-1704) Also, when the eu-strip tool was used to create separate debuginfo files from relocatable objects such as kernel modules (.ko), the resulting debuginfo files (.ko.debug) were sometimes corrupted. Both of these problems are fixed in the new version. Users of elfutils should upgrade to these updated packages, which resolve these issues. Low Copyright 2006 Red Hat, Inc. CVE-2005-1704 eu-strip mangles separate debuginfo with relocation sections CVE-2005-1704 Integer overflow in libelf Elfutils license upgrade cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The elfutils packages that originally shipped with Red Hat Enterprise Linux 3 were GPL-licensed versions which lacked some functionality. Previous updates provided fully functional versions of elfutils only under the OSL license. This update provides a fully functional, GPL-licensed version of elfutils. In the OSL-licensed elfutils versions provided in previous updates, some tools could sometimes crash when given corrupted input files. (CVE-2005-1704) Also, when the eu-strip tool was used to create separate debuginfo files from relocatable objects such as kernel modules (.ko), the resulting debuginfo files (.ko.debug) were sometimes corrupted. Both of these problems are fixed in the new version. Users of elfutils should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-1704 CVE-2005-1704 Integer overflow in libelf RHEL3 U8: Elfutils license upgrade eu-strip mangles separate debuginfo with relocation sections cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Network Time Protocol (NTP) is used to synchronize a computer's time with a reference time source. The NTP daemon (ntpd), when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes ntpd to run with different privileges than intended. (CVE-2005-2496) The following issues have also been addressed in this update: - The init script had several problems - The script executed on upgrade could fail - The man page for ntpd indicated the wrong option for specifying a chroot directory - The ntp daemon could crash with the message "Exiting: No more memory!" - There is a new option for syncing the hardware clock after a successful run of ntpdate Users of ntp should upgrade to these updated packages, which resolve these issues. Low Copyright 2006 Red Hat, Inc. CVE-2005-2496 multiple problems with ntpd init.d script CVE-2005-2496 improper group set when running ntpd ntp %post scriptlet fails on upgrade, if ntpd is disabled. ntpd dies with the error "Exiting: out of memory!" ntpdate not invoked when supplying the -x option cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. Several denial of service bugs were found in Ethereal's protocol dissectors. Ethereal could crash or stop responding if it reads a malformed packet off the network. (CVE-2006-1932, CVE-2006-1933, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940) Several buffer overflow bugs were found in Ethereal's COPS, telnet, and ALCAP dissectors as well as Network Instruments file code and NetXray/Windows Sniffer file code. Ethereal could crash or execute arbitrary code if it reads a malformed packet off the network. (CVE-2006-1934, CVE-2006-1935, CVE-2006-1936) Users of ethereal should upgrade to these updated packages containing version 0.99.0, which is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1932 CVE-2006-1933 CVE-2006-1934 CVE-2006-1935 CVE-2006-1936 CVE-2006-1937 CVE-2006-1938 CVE-2006-1939 CVE-2006-1940 CVE-2006-1932 Multiple ethereal issues (CVE-2006-1933, CVE-2006-1934, CVE-2006-1935, CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. An integer overflow flaw was discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-2025) A double free flaw was discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-2026) Several denial of service flaws were discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash. (CVE-2006-2024, CVE-2006-2120) All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-2024 CVE-2006-2025 CVE-2006-2026 CVE-2006-2120 CVE-2006-2024 multiple libtiff issues (CVE-2006-2025, CVE-2006-2026) CVE-2006-2120 libtiff DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way Ruby creates its xmlrpc and http servers. The servers use a non blocking socket, which enables a remote user to cause a denial of service condition if they are able to transmit a large volume of information from the network server. (CVE-2006-1931) Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1931 CVE-2006-1931 Ruby http/xmlrpc server DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions: adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update: - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important) - a flaw in unaligned accesses handling on Intel Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) - an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) - a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) - a minor info leak in socket option handling in the network code (CVE-2006-1343, low) - a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, moderate) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2008 Red Hat, Inc. CVE-2005-3055 CVE-2005-3107 CVE-2006-0741 CVE-2006-0742 CVE-2006-0744 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-2444 i8253 count too high! resetting... cannot reboot on Dell 6450 with RHEL 3 i8253 count too high "i8253 count too high! resetting.." ? panics in generic_aio_complete_rw and unmap_kvec after __iodesc_free calls generic_aio_complete_read() Reboot fails on Dell PowerEdge 6450 kernel panic in umount clock_gettime() triggers audit kill from i386 binary on x86_64 autofs (automount) failover does not work kernel oops when unplugging usb serial adapter using pl2303 and mct_u232 System hangs when rebooting Dell PE6450 kernel panic in md driver (md lacks proper locking of device lists) [PATCH] [RHEL3] dpt_i2o modules in RHEL gets oops Implement a better solution to the dma memory allocation done in the kernel megaraid2 driver fails to recognize all LSI RAID adapters when there are more than 4 with >=4GB Hang with radeon driver when DRM DRI actve timer interrupt received twice on ATI chipset motherboard, clock runs at double speed kernel panic when removing active USB serial converter used as serial console Kernel panic on 8GB machines under stress running e1000 diagnostics I/O Errors when swtiching Blade USB Media Tray kernel oops with usbserial (minicom key pressed) Accessing automounted directories can cause a process to hang forever EHCI Host driver violates USB2.0 Specification leading to device failures. Unable to unmount a local file system exported by NFS GART error during bootup kernel crashes with an Ooops CVE-2005-3055 async usb devio oops CVE-2005-3107 zap_threads DoS MCE arg parsing broken on x86-64 [PATCH] bonding: don't drop non-VLAN traffic sys_io_setup() can leak an mm reference on failure Reboot of Dell 6450 fails Kernel panic : Unable to handle kernel paging request at virtual address 6668c79a [RHEL3] [RFE] forcedeth driver on xw9300 has minimal support for ethtool and mii-tool [RHEL3] dump_stack() isn't implemented on x86_64 syslog-only netdump still tries to dump memory bonding mode=6 + dhcp doesn't work correctly Intermittently unable to mount NFS filesystem using autofs --ghost Data corruption in ext3 FS when running hazard (corrupt inodes) Phantom escalating load due to flawed rq->nr_uninterruptible increment IBM x336, x260, and x460 requires acpi=noirq bootup option. ST Tape Driver Bug!! kernel/libc type mismatch on siginfo_t->si_band - breaks FAM on 64bit arches Kernel BUG at pci_dma:43 encountered BNX2 Patch in 2.4.21-40.EL kills "Network Device Support" config menu CVE-2006-1242 Linux zero IP ID vulnerability? CVE-2006-1343 Small information leak in SO_ORIGINAL_DST RHEL3U7 fails installation using RSA(2). Submission of a patch for non-sequential LUN mapping make menuconfig crashes IPMI startup race condition CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs CVE-2006-2444 SNMP NAT netfilter memory corruption [Beta RHEL3 U8 Regression] Processes hung while allocating stack using gdb cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces such as GNOME and KDE are designed upon. A buffer overflow flaw in the X.org server RENDER extension was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-1526) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Important Copyright 2006 Red Hat, Inc. CVE-2006-1526 CVE-2006-1526 X.Org buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw was found in the way Mailman handles MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which would cause that particular mailing list to stop working. (CVE-2006-0052) Users of Mailman should upgrade to this updated package, which contains backported patches to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0052 CVE-2006-0052 Mailman DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important) * a flaw in the keyring implementation that allowed a local user to cause a denial of service (OOPS) (CVE-2006-1522, important) * a flaw in IP routing implementation that allowed a local user to cause a denial of service (panic) via a request for a route for a multicast IP (CVE-2006-1525, important) * a flaw in the SCTP-netfilter implementation that allowed a remote user to cause a denial of service (infinite loop) (CVE-2006-1527, important) * a flaw in the sg driver that allowed a local user to cause a denial of service (crash) via a dio transfer to memory mapped (mmap) IO space (CVE-2006-1528, important) * a flaw in the threading implementation that allowed a local user to cause a denial of service (panic) (CVE-2006-1855, important) * two missing LSM hooks that allowed a local user to bypass the LSM by using readv() or writev() (CVE-2006-1856, moderate) * a flaw in the virtual memory implementation that allowed local user to cause a denial of service (panic) by using the lsof command (CVE-2006-1862, important) * a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864, moderate) * a flaw in the ECNE chunk handling of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2271, moderate) * a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2272, moderate) * a flaw in the handling of DATA fragments of SCTP that allowed a remote user to cause a denial of service (infinite recursion and crash) (CVE-2006-2274, moderate) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2005-2973 CVE-2005-3272 CVE-2005-3359 CVE-2006-0555 CVE-2006-0741 CVE-2006-0744 CVE-2006-1522 CVE-2006-1525 CVE-2006-1527 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-1862 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-1528 Possible local crash by dio/mmap sg driver CVE-2005-2973 ipv6 infinite loop CVE-2005-3272 bridge poisoning CVE-2005-3359 incorrect inrement/decrement in atm module leads to panic CVE-2006-0555 NFS client panic using O_DIRECT CVE-2006-0741 bad elf entry address (CVE-2006-0744) CVE-2006-1855 Old thread debugging causes false BUG() in choose_new_parent CVE-2006-1522 DoS/bug in keyring code (security/keys/) CVE-2006-1862 The lsof command triggers a kernel oops under heavy load CVE-2006-1525 ip_route_input() panic CVE-2006-1864 smbfs chroot issue CVE-2006-1527 netfilter/sctp: lockup in sctp_new() CVE-2006-2271 SCTP ECNE chunk handling DoS CVE-2006-2272 SCTP incoming COOKIE_ECHO and HEARTBEAT packets DoS CVE-2006-2274 SCTP DATA fragments DoS CVE-2006-1856 LSM missing readv/writev cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XScreenSaver is a collection of screensavers. A keyboard focus flaw was found in the way XScreenSaver prompts the user to enter their password to unlock the screen. XScreenSaver did not properly ensure it had proper keyboard focus, which could leak a users password to the program with keyboard focus. This behavior is not common, as only certain applications exhibit this focus error. (CVE-2004-2655) Several flaws were found in the way various XScreenSaver screensavers create temporary files. It may be possible for a local attacker to create a temporary file in way that could overwrite a different file to which the user running XScreenSaver has write permissions. (CVE-2003-1294) Users of XScreenSaver should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2003-1294 CVE-2004-2655 CVE-2003-1294 xscreensaver temporary file flaws CVE-2004-2655 xscreensaver passes password to other applications cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-0747 CVE-2006-1861 CVE-2006-2661 CVE-2006-3467 CVE-2006-0747 Freetype integer underflow (CVE-2006-2661) CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw in the handling of multi-part MIME messages was discovered in Sendmail. A remote attacker could create a carefully crafted message that could crash the sendmail process during delivery (CVE-2006-1173). By default on Red Hat Enterprise Linux, Sendmail is configured to only accept connections from the local host. Therefore, only users who have configured Sendmail to listen to remote hosts would be remotely vulnerable to this issue. Users of Sendmail are advised to upgrade to these erratum packages, which contain a backported patch from the Sendmail team to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2006-1173 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Quagga manages the TCP/IP based routing protocol. It takes a multi-server and multi-thread approach to resolve the current complexity of the Internet. An information disclosure flaw was found in the way Quagga interprets RIP REQUEST packets. RIPd in Quagga will respond to RIP REQUEST packets for RIP versions that have been disabled or that have authentication enabled, allowing a remote attacker to acquire information about the local network. (CVE-2006-2223) A route injection flaw was found in the way Quagga interprets RIPv1 RESPONSE packets when RIPv2 authentication is enabled. It is possible for a remote attacker to inject arbitrary route information into the RIPd routing tables. This issue does not affect Quagga configurations where only RIPv2 is specified. (CVE-2006-2224) A denial of service flaw was found in Quagga's telnet interface. If an attacker is able to connect to the Quagga telnet interface, it is possible to cause Quagga to consume vast quantities of CPU resources by issuing a malformed 'sh' command. (CVE-2006-2276) Users of Quagga should upgrade to these updated packages, which contain backported patches that correct these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2223 CVE-2006-2224 CVE-2006-2276 CVE-2006-2223 Quagga RIPd information disclosure CVE-2006-2224 Quagga RIPd route injection CVE-2006-2276 quagga locks with command sh ip bgp cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A bug was found in the way PostgreSQL's PQescapeString function escapes strings when operating in a multibyte character encoding. It is possible for an attacker to provide an application a carefully crafted string containing invalidly-encoded characters, which may be improperly escaped, allowing the attacker to inject malicious SQL. While this update fixes how PQescapeString operates, the PostgreSQL server has also been modified to prevent such an attack occurring through unpatched clients. (CVE-2006-2313, CVE-2006-2314). More details about this issue are available in the linked PostgreSQL technical documentation. An integer signedness bug was found in the way PostgreSQL generated password salts. The actual salt size is only half the size of the expected salt, making the process of brute forcing password hashes slightly easier. This update will not strengthen already existing passwords, but all newly assigned passwords will have the proper salt length. (CVE-2006-0591) Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 7.4.13, which corrects these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0591 CVE-2006-2313 CVE-2006-2314 CVE-2006-0591 postgresql pgcrypt minor salt generation flaw CVE-2006-2313, CVE-2006-2314: PostgreSQL remote SQL injection vulnerability CVE-2006-2313, CVE-2006-2314: PostgreSQL remote SQL injection vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A privilege escalation flaw was found in the way Vixie Cron runs programs; vixie-cron does not properly verify an attempt to set the current process user id succeeded. It was possible for a malicious local users who exhausted certain limits to execute arbitrary commands as root via cron. (CVE-2006-2607) All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-2607 CVE-2006-2607 Jobs start from root when pam_limits enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Dia drawing program is designed to draw various types of diagrams. Several format string flaws were found in the way dia displays certain messages. If an attacker is able to trick a Dia user into opening a carefully crafted file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-2453, CVE-2006-2480) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2453 CVE-2006-2480 CVE-2006-2480 Dia format string issue (CVE-2006-2453) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2447 /etc/sysconfig/spamassasin loses file context and timestamp spamassassin looks up broken NS domain (visi.com) CVE-2006-2447 spamassassin arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-2753 CVE-2006-3081 CVE-2006-4380 CVE-2006-0903 Mysql log file obfuscation Client error in mysql on updates when high concurrency CVE-2006-1517 Mysql information leak CVE-2006-1516 mysql anonymous login information leak CVE-2006-2753 MySQL improper multibyte string escaping cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. A local file disclosure flaw was found in the way SquirrelMail loads plugins. In SquirrelMail 1.4.6 or earlier, if register_globals is on and magic_quotes_gpc is off, it became possible for an unauthenticated remote user to view the contents of arbitrary local files the web server has read-access to. This configuration is neither default nor safe, and configuring PHP with the register_globals set on is dangerous and not recommended. (CVE-2006-2842) Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2842 CVE-2006-2842 Squirrelmail file inclusion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the KDE Display Manager (KDM). Ludwig Nussel discovered a flaw in KDM. A malicious local KDM user could use a symlink attack to read an arbitrary file that they would not normally have permissions to read. (CVE-2006-2449) Note: this issue does not affect the version of KDM as shipped with Red Hat Enterprise Linux 2.1 or 3. All users of KDM should upgrade to these updated packages which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-2449 CVE-2006-2449 kdm file disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the "break" parameter. An attacker who could control the string passed to the "break" parameter could cause a heap overflow. (CVE-2006-1990) A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the "register_globals" setting. "register_globals" is disabled by default in Red Hat Enterprise Linux. (CVE-2006-3017) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1494 CVE-2006-1990 CVE-2006-3017 CVE-2006-1494 PHP tempname open_basedir issue CVE-2006-1990 wordwrap integer overflow CVE-2006-3017 zend_hash_del bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3082) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3082 CVE-2006-3082 gnupg integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A Sun security specialist reported an issue with the application framework. An attacker could put macros into document locations that could cause OpenOffice.org to execute them when the file was opened by a victim. (CVE-2006-2198) A bug was found in the OpenOffice.org Java virtual machine implementation. An attacker could write a carefully crafted Java applet that can break through the "sandbox" and have full access to system resources with the current user privileges. (CVE-2006-2199) A buffer overflow bug was found in the OpenOffice.org file processor. An attacker could create a carefully crafted XML file that could cause OpenOffice.org to write data to an arbitrary location in memory when the file was opened by a victim. (CVE-2006-3117) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2006-2451 CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 New features introduced in this update include: * Device Mapper mirroring support * IDE diskdump support * x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements * Itanium: perfmon support for Montecito * much improved support for IBM x460 * AMD PowerNow! patches to support Opteron Rev G * Vmalloc support > 64MB The following device drivers have been upgraded to new versions: ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2 Added drivers: dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03 This update includes fixes for the security issues: * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate) * a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low) * a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important) * a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important) * a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) * a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate) * an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate) * a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate) * a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important) * a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important) * a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important) There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. Important Copyright 2008 Red Hat, Inc. CVE-2005-3055 CVE-2005-3623 CVE-2006-0038 CVE-2006-0456 CVE-2006-0457 CVE-2006-0742 CVE-2006-1052 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1857 CVE-2006-2275 CVE-2006-2446 CVE-2006-2448 CVE-2006-2934 install hangs on Dell PowerVault 745 with SATA drives (sata_vsc module) fix missing wakeup in ipc/sem udevd fails to create /dev files after misc_register Sound Blaster Audigy 2 Value audio does not work [RHEL4-U2][Diskdump] OS_INIT dump function is broken kernel may oops if more than 4k worth of string data returned in /proc/devices Can't install from SATA CD/DVD drive Loss of SATA ICH device hangs RAID1 [PATCH] ata_piix fails on some ICH7 hardware snd-nm256 module hangs Dell Latitude CSx kernel build broken when 4KSTACKS disabled EHCI Host driver violates USB2.0 Specification leading to device failures mdadm --grow infinite resync No (useful) logging of parameters to execve CVE-2005-3055 async usb devio oops COMM_LOST problem with SCTP stream socket SMP kernel crash when use as LVS router rm command hangs when removing a symlink on ext2 loop filesystem Deadlock in fc_target_unblock while shutting down the system sata_promise: missing PCI ID for SATA300 TX4 RHEL4 U3 feature request: add some new lm sensors modules to the i2c module Oops kernel NULL pointer ipw2100 modules crashes and restarts whenever in use Spurious keyboard repeats and clock is fast kernel panic after a few hours/days of operation with pulse vmalloc limited to 64Mb kernel panics when rebooting Kernel panic with this comment: <4>VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day... Kernel panic on install on 64BG EM64T TG3 driver crashes with BCM4704C chipset with heavy traffic Documentation mismatch RFE: tg3 support for Broadcom 5751 PCIe System hangs with kernel panic when using current 3ware drivers [PATCH] bonding: don't drop non-VLAN traffic CRM# 717690: crash possibly related to ipvsadm [RHEL 4 U2] kernel panic on EM64T with long cmdline args misleading overcommit_memory reference in Documentation/filesystems/proc.txt Accessing automounted directories can cause a process to hang forever [RHEL4-U3] Checking dump partition fails when a swap partition whose size is less than memory size is configured for diskdump. sata-nv crashes on multiple SATA disks The hash.h hash_long function, when used on a 64 bit machine, ignores many of the middle-order bits. io_setup() fails for 32bit tasks in x86-64 Oprofile unsupported recent Pentium4 xw6400 System panic while installing RHEL4-U3 SELinux MLS compatibility No i915 DRM module Last AIO read of a file opened with O_DIRECT returns wrong length O_DIRECT bug when reading last block of sparse file RHEL4u4 FEAT: Provide support for Opteron Rev G and Power Now! clean-up Please backport the sata_mv Marvell MV88SX5081 driver? kernel boot can Oops in work queue code when console blanks Request to update lpfc driver in RHEL 4 U4 deadlocks on ext2,sync mounted fs kmir_mon worker thread doesn't exit aic7xxx and aic79xx Drivers Don't Support 16-byte CDBs typo in spinlock.h? line 407 ipv6 ready logo-P1 ND Test24 fails- RA Lifetime=5 not understood [RHEL4] MCE arg parsing broken on x86-64 Console redirection on DRAC 3 results in repeated key strokes (P1) lpfc driver: add managment ioctl module to kernel tree Gettimeofday() timer related slowdown and scaling issue add MCP51/ NVidia 430 IDE support Error given when duplicate non-updateable key (eg: keyring) added Key quota handling incorrect in allocation CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace CVE-2006-0456 s390/s390x strnlen_user() is broken NFS lockd recovery is broken in U3 due to missing code. [EMC/Oracle RHEL 4.4] ISCSI MODULE SHOWS MULTIPLE DEVICES FOR A SINGLE LUN IN RHEL 4.0 U2 Possible hang when ptracing and using hugepages [RHEL4] [RFE] Add diskdump capability to IDE DoS attack possible via nfsservctl CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic ramfs: update dir mtime and ctime dm: make sure don't give out the same minor number twice Large LUNS can't be seen with Hitachi Open- SAN PCI interrupts on ioapic pins 0-15 always get "legacy" IRQs. [BETA RHEL4 U3] brokenness in cfq_dispatch_requests Kernel should export number and state of local APICs CVE-2005-3623 ACL setting on read-only fs CVE-2006-1052 SELinux flaw kernel dm: bad argument count check in dm-log.c kernel dm: missing bdput kernel dm: fix free_dev del_gendisk kernel dm: flush queued bios if suspend is interrupted kernel dm: log bitset fix BE find_next_zero_bit kernel device-mapper mirroring: table output incorrect kernel dm snapshots: replace siblings list kernel dm mirroring: suspend operation is not well behaved kernel dm snapshots: fix invalidation kernel dm: striped access beyond end of device [RHEL4 U3] kernel dm mirror: unrelated mirror devices stall if any log device fails [RHEL4 U3] device-mapper mirror: Data corruption if the default mirror fails during recovery. [RHEL4 U3] device-mapper mirror: Data corruption by temporal errors during recovery. kernel dm: bio split bvec fix [RHEL4 U3] device-mapper mirror: Write failure region becomes in-sync when suspension. CVE-2006-1242 Linux zero IP ID vulnerability? Connectathon tests fail against newer Irix server NFSD fails SETCLIENTID_CONFIRM kernel dm mirror: lvs Copy% overs 100% by lvreduce/lvresize. CVE-2006-1343 Small information leak in SO_ORIGINAL_DST CVE-2006-0038 netfilters do_replace() overflow nvidia cache aliasing problem: change_page_attr drops GLOBAL bit from executable kernel pages ACPI 2.0 systems with no XSDT fail to boot kernel problem to deal with 3ware 9500SX-12 RAID cards [RHEL4 U3] dm-mirror: read stalls if all mirrors failed CVE-2006-2275 SCTP traffic probably never resumes diskdump_sysfs_store() needs to check sscanf retval diskdump_sysfs_store() should check partition number device_to_gendisk() is lacking mntput(nd.mnt) on exit diskdump - device_to_gendisk() is both racy CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs Replication failover fails if the NFS permissions are incorrect on one of the servers... kernel dm snapshots: Incorrect processing of incorrect chunk size Kernel appears too conservative in memory use tlb_clear_slave races with tlb_choose_channel Update Qlogic qla2xxx driver in RHEL 4 U4 Trouble with recent module - one packet is seen more than one time VLAN not working on initial startup [Stratus RHEL4 U4 bug] unchecked error path in usb_alloc_dev can lead to an Oops. RHEL4-U3: openipmi: startup race condition Submit Promise RHEL4 driver in-box to RHEL4 CD Submit Promise RHEL4 driver in-box to RHEL4 CD Submit Promise RHEL4 driver in-box to RHEL4 CD dm: Fix mapped device references REGRESSION: kabi breakage on ia64_mv CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic installer does not see SATA HDs attached to JMB360 chipset which in legacy mode MCE arg parsing broken on x86-64 device-mapper mirror: Need proper notification of sync status chage on write failure REGRESSION: kernel-2.6.9.36 does not boot on ALTIX systems Fix problems with MSI-X on 64-bit platforms CVE-2006-1857 SCTP HB-ACK chunk overflow CVE-2006-2446 LTC20512-kernel BUG in __kfree_skb while running TCP+Kernel stress RFE: add pci ids for atiixp Not using all available system memory - swapping too aggressive - high load average (iowait) A write to a cluster mirror volume not in sync will hang and also cause the sync to hang as well gettimeofday goes backwards on IBM x460 merged servers CVE-2006-2448 missing access_ok checks in powerpc signal*.c veritas storage foundation 32bit apps crash in glibc during post-process installation RHEL4 U4 i386 partner beta will not install on ES7000/one HP xw9400 network card not getting seen Regression: cluster mirror creation cmd hangs even though mirror gets created VLANs, tg3 driver, and 2.6.9-34.EL kernel update O=/objdir builds fail for out-of-tree builds with 2.6.9-39.4 CVE-2006-2934 SCTP netfilter DoS with chunkless packets kernel freeze at "kernel BUG at kernel/timer.c:420!" kernel deadlock on reading /proc/meminfo on 4 CPU's at the same time cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdebase packages provide the core applications for KDE, the K Desktop Environment. A flaw was found in KDE where the kdesktop_lock process sometimes failed to terminate properly. This issue could either block the user's ability to manually lock the desktop or prevent the screensaver to activate, both of which could have a security impact for users who rely on these functionalities. (CVE-2006-2933) Please note that this issue only affected Red Hat Enterprise Linux 3. All users of kdebase should upgrade to these updated packages, which contain a patch to resolve this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2933 CVE-2006-2933 occasionally KDE screensaver fails to start cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mutt is a text-mode mail user agent. A buffer overflow flaw was found in the way Mutt processes an overly long namespace from a malicious imap server. In order to exploit this flaw a user would have to use Mutt to connect to a malicious IMAP server. (CVE-2006-3242) Users of Mutt are advised to upgrade to these erratum packages, which contain a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3242 CVE-2006-3242 Mutt IMAP namespace buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. The Mozilla Foundation has discontinued support for the Mozilla Suite. This update deprecates the Mozilla Suite in Red Hat Enterprise Linux 3 in favor of the supported SeaMonkey Suite. This update also resolves a number of outstanding Mozilla security issues: Several flaws were found in the way Mozilla processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787) Several denial of service flaws were found in the way Mozilla processed certain web content. A malicious web page could crash firefox or possibly execute arbitrary code. These issues to date were not proven to be exploitable, but do show evidence of memory corruption. (CVE-2006-2779, CVE-2006-2780) A double-free flaw was found in the way Mozilla-mail displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard it could execute arbitrary code as the user running Mozilla-mail. (CVE-2006-2781) A cross site scripting flaw was found in the way Mozilla processed Unicode Byte-order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) A form file upload flaw was found in the way Mozilla handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Mozilla called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Mozilla processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page it could execute arbitrary code as the user running Mozilla. (CVE-2006-2788) Users of Mozilla are advised to upgrade to this update, which contains SeaMonkey version 1.0.2 that is not vulnerable to these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-2783 multiple Seamonkey issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2780, CVE-2006-2781) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the file manager Konqueror. Ilja van Sprundel discovered a lock file handling flaw in kcheckpass. If the directory /var/lock is writable by a user who is allowed to run kcheckpass, that user could gain root privileges. In Red Hat Enterprise Linux, the /var/lock directory is not writable by users and therefore this flaw could only have been exploited if the permissions on that directory have been badly configured. A patch to block this issue has been included in this update. (CVE-2005-2494) The following bugs have also been addressed: - kstart --tosystray does not send the window to the system tray in Kicker - When the customer enters or selects URLs in Firefox's address field, the desktop freezes for a couple of seconds - fish kioslave is broken on 64-bit systems All users of kdebase should upgrade to these updated packages, which contain patches to resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-2494 CVE-2005-2494 kcheckpass privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service bug was found in the way the smbd daemon tracks active connections to shares. It was possible for a remote attacker to cause the smbd daemon to consume a large amount of system memory by sending carefully crafted smb requests. (CVE-2006-3403) Users of Samba are advised to upgrade to these packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3403 CVE-2006-3403 Samba denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-3376 CVE-2006-3376 libwmf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. Henning Makholm discovered a buffer overflow bug in The GIMP XCF file loader. An attacker could create a carefully crafted image that could execute arbitrary code if opened by a victim. (CVE-2006-3404) Please note that this issue did not affect the gimp packages in Red Hat Enterprise Linux 2.1, or 3. Users of The GIMP should update to these erratum packages which contain a backported fix to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3404 CVE-2006-3404 gimp xcf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is a program used to help manage email discussion lists. A flaw was found in the way Mailman handled MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. (CVE-2006-2941) Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636) Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities. Users of Mailman should upgrade to these updated packages, which contain backported patches to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-2941 CVE-2006-3636 CVE-2006-2941 Mailman DoS CVE-2006-3636 Mailman XSS issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. In May 2006, Ethereal changed its name to Wireshark. This update deprecates the Ethereal packages in Red Hat Enterprise Linux 2.1, 3, and 4 in favor of the supported Wireshark packages. Several denial of service bugs were found in Ethereal's protocol dissectors. It was possible for Ethereal to crash or stop responding if it read a malformed packet off the network. (CVE-2006-3627, CVE-2006-3629, CVE-2006-3631) Several buffer overflow bugs were found in Ethereal's ANSI MAP, NCP NMAS, and NDPStelnet dissectors. It was possible for Ethereal to crash or execute arbitrary code if it read a malformed packet off the network. (CVE-2006-3630, CVE-2006-3632) Several format string bugs were found in Ethereal's Checkpoint FW-1, MQ, XML, and NTP dissectors. It was possible for Ethereal to crash or execute arbitrary code if it read a malformed packet off the network. (CVE-2006-3628) Users of Ethereal should upgrade to these updated packages containing Wireshark version 0.99.2, which is not vulnerable to these issues Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3627 CVE-2006-3628 CVE-2006-3629 CVE-2006-3630 CVE-2006-3631 CVE-2006-3632 Replace (EOL) Ethereal with Wireshark CVE-2006-3627 Mulitple security issues (CVE-2006-3628 CVE-2006-3629 CVE-2006-3630 CVE-2006-3631 CVE-2006-3632) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) files. Tavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. An attacker could create a carefully crafted TIFF file in such a way that it was possible to cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465) All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-2656 CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465 CVE-2006-3459 Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. A number of flaws were found in the safe-level restrictions in Ruby. It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2006-3694) Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3694 CVE-2006-3694 Insecure operations in the certain safe-level restrictions CVE-2006-3694 ruby safe-level bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a flaw in sperl, the Perl setuid wrapper, which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. (CVE-2005-0155) A fix for this issue was first included in the update RHSA-2005:103 released in February 2005. However the patch to correct this issue was dropped from the update RHSA-2005:674 made in October 2005. This regression has been assigned CVE-2006-3813. Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3813 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way SeaMonkey processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) A buffer overflow flaw was found in the way SeaMonkey Messenger displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard, it was possible to execute arbitrary code as the user running SeaMonkey Messenger. (CVE-2006-3804) Several flaws were found in the way SeaMonkey processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A flaw was found in the way SeaMonkey processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) Users of SeaMonkey are advised to upgrade to this update, which contains SeaMonkey version 1.0.3 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Seamonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. The Mozilla Foundation has discontinued support for the Mozilla Suite. This update deprecates the Mozilla Suite in Red Hat Enterprise Linux 4 in favor of the supported Seamonkey Suite. This update also resolves a number of outstanding Mozilla security issues: Several flaws were found in the way Seamonkey processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way Seamonkey processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Seamonkey. (CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) Two flaws were found in the way Seamonkey-mail displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard it was possible to execute arbitrary code as the user running Mozilla-mail. (CVE-2006-2781, CVE-2006-3804) A cross-site scripting flaw was found in the way Seamonkey processed Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) Several flaws were found in the way Seamonkey processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A form file upload flaw was found in the way Seamonkey handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Seamonkey called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Seamonkey processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A flaw was found in the way Seamonkey processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page, it was possible to execute arbitrary code as the user running Mozilla. (CVE-2006-2788) Users of Mozilla are advised to upgrade to this update, which contains Seamonkey version 1.0.3 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2780, CVE-2006-2781) CVE-2006-2783 multiple Seamonkey issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. The Mozilla Foundation has discontinued support for the Mozilla Firefox 1.0 branch. This update deprecates the Mozilla Firefox 1.0 branch in Red Hat Enterprise Linux 4 in favor of the supported Mozilla Firefox 1.5 branch. This update also resolves a number of outstanding Firefox security issues: Several flaws were found in the way Firefox processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way Firefox processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) A cross-site scripting flaw was found in the way Firefox processed Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) Several flaws were found in the way Firefox processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A form file upload flaw was found in the way Firefox handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Firefox called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Firefox processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A flaw was found in the way Firefox processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page, it was possible to execute arbitrary code as the user running Firefox. (CVE-2006-2788) Users of Firefox are advised to upgrade to this update, which contains Firefox version 1.5.0.5 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-2779 multiple firefox DoS issues (CVE-2006-2780) CVE-2006-2783 multiple Firefox issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux