Red Hat OVAL Patch Definition Merger 2 5.3 2013-06-18T08:05:02 Red Hat Enterprise Linux 3 Quagga is an open source implementation of TCP/IP routing software. Herbert Xu reported that Quagga can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. Users of Quagga should upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel. This erratum also includes quagga-devel and quagga-contrib packages which were not originally shipped with Red Hat Enterprise Linux 3. Low Copyright 2003 Red Hat, Inc. CVE-2003-0858 CAN-2003-0858 Netlink local DoS: quagga cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The iproute package contains advanced IP routing and network device configuration tools. Herbert Xu reported that iproute can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to this issue. Users of iproute should upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel. Low Copyright 2003 Red Hat, Inc. CVE-2003-0856 CAN-2003-0856 Netlink local DoS: iproute cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. A number of security issues affect Ethereal. By exploiting these issues, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully-malformed packet onto the wire or by convincing someone to read a malformed packet trace file. A buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0925 to this issue. Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) via certain malformed ISAKMP or MEGACO packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0926 to this issue. A heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0927 to this issue. Users of Ethereal should update to these erratum packages containing Ethereal version 0.9.16, which is not vulnerable to these issues. Moderate Copyright 2003 Red Hat, Inc. CVE-2003-0925 CVE-2003-0926 CVE-2003-0927 CAN-2003-0925/6/7 Ethereal 0.9.13 has three exploitable security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The glibc packages contain GNU libc, which provides standard system libraries. Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. In addition to the security issues, a number of other bugs were fixed. Users are advised to upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel and patches for the various bug fixes. Low Copyright 2003 Red Hat, Inc. CVE-2003-0859 backtrace() is broken getnameinfo fails to to reverse lookup on IPv6 addresses LD_PROFILE=libc.so.6 and sprof give seg fault locale utility is broken on big-endian 64-bit platforms LTC5138-NPTL: pthread_condtimedwait hang or mutex_lock hang Signal handler installation races with signal, glibc-2.3.2 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol. It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. The rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0967 to this issue. Users of FreeRADIUS are advised to upgrade to these erratum packages containing FreeRADIUS 0.9.3 which is not vulnerable to these issues. Moderate Copyright 2003 Red Hat, Inc. CVE-2003-0967 CAN-2003-0967/8 FreeRadius remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data. This vulnerability can be used to trivially recover the private key. While the default behavior of GnuPG when generating keys does not lead to the creation of unsafe keys, by overriding the default settings an unsafe key could have been created. If you are using ElGamal keys, you should revoke those keys immediately. The packages included in this update do not make ElGamal keys safe to use; they merely include a patch by David Shaw that disables functions that would generate or use ElGamal keys. To determine if your key is affected, run the following command to obtain a list of secret keys that you have on your secret keyring: gpg --list-secret-keys The output of this command includes both the size and type of the keys found, and will look similar to this example: /home/example/.gnupg/secring.gpg ---------------------------------------------------- sec 1024D/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> The key length, type, and ID are listed together, separated by a forward slash. In the example output above, the key's type is "D" (DSA, sign and encrypt). Your key is unsafe if and only if the key type is "G" (ElGamal, sign and encrypt). In the above example, the secret key is safe to use, while the secret key in the following example is not: /home/example/.gnupg/secring.gpg ---------------------------------------------------- sec 1024G/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> For more details regarding this issue, as well as instructions on how to revoke any keys that are unsafe, refer to the advisory available from the GnuPG web site: http://www.gnupg.org/ Important Copyright 2003 Red Hat, Inc. CVE-2003-0971 CAN-2003-0971 GnuPG ElGamal compromise cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 rsync is a program for sychronizing files over the network. A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue. All users should upgrade to these erratum packages containing version 2.5.7 of rsync, which is not vulnerable to this issue. NOTE: The rsync server is disabled (off) by default in Red Hat Enterprise Linux. To check if the rsync server has been enabled (on), run the following command: /sbin/chkconfig --list rsync If the rsync server has been enabled but is not required, it can be disabled by running the following command as root: /sbin/chkconfig rsync off Red Hat would like to thank the rsync team for their rapid response and quick fix for this issue. Critical Copyright 2003 Red Hat, Inc. CVE-2003-0962 CAN-2003-0962 rsync remote exploit cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 lftp is a command-line file transfer program supporting FTP and HTTP protocols. Ulf Härnhammar discovered a buffer overflow bug in versions of lftp up to and including 2.6.9. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0963 to this issue. Users of lftp are advised to upgrade to these erratum packages, which contain a backported security patch and are not vulnerable to this issue. Red Hat would like to thank Ulf Härnhammar for discovering and alerting us to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2003-0963 CAN-2003-0963 lftp client buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0985 to this issue. All users of Red Hat Enterprise Linux 3 are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch. Important Copyright 2004 Red Hat, Inc. CVE-2003-0985 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Two security issues have been found that affect Ethereal. By exploiting these issues it may be possible to make Ethereal crash by injecting an intentionally malformed packet onto the wire or by convincing someone to read a malformed packet trace file. It is not known if these issues could allow arbitrary code execution. The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1012 to this issue. The Q.931 dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1013 to this issue. Users of Ethereal should update to these erratum packages containing Ethereal version 0.10.0, which is not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2003-1012 CVE-2003-1013 CAN-2003-1012/3 Ethereal security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0844 to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2002-0844 CVE-2003-0977 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The K Desktop Environment (KDE) is a graphical desktop for the X Window System. The KDE Personal Information Management (kdepim) suite helps you to organize your mail, tasks, appointments, and contacts. The KDE team found a buffer overflow in the file information reader of VCF files. An attacker could construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. Users of kdepim are advised to upgrade to these erratum packages which contain a backported security patch that corrects this issue. Important Copyright 2004 Red Hat, Inc. CVE-2003-0988 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0989 CVE-2004-0055 CVE-2004-0057 CAN-2003-0989 tcpdump parsing overflow CAN-2004-0055 CAN-2004-0057 Two issues found in tpcdump cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. An issue in the handling of regular expressions from configuration files was discovered in releases of the Apache HTTP Server version 2.0 prior to 2.0.48. To exploit this issue an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server (in default configurations as the 'apache' user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0542 to this issue. Users of the Apache HTTP Server should upgrade to these erratum packages, which contain backported patches correcting these issues, and are applied to Apache version 2.0.46. This update also includes fixes for a number of minor bugs found in this version of the Apache HTTP Server. Low Copyright 2004 Red Hat, Inc. CVE-2003-0542 long httpd graceful reload times CAN-2003-0542 local buffer overflow in config file parsing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update for Red Hat Enterprise Linux version 3. It contains a new critical security fix, many other bug fixes, several device driver updates, and numerous performance and scalability enhancements. On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. Other bug fixes were made in the following kernel areas: VM, NPTL, IPC, kernel timer, ext3, NFS, netdump, SCSI, ACPI, several device drivers, and machine-dependent support for the x86_64, ppc64, and s390 architectures. The VM subsystem was improved to better handle extreme loads and resource contention (such as might occur during heavy database application usage). This has resulted in a significantly reduced possibility of hangs, OOM kills, and low-mem exhaustion. Several NPTL fixes were made to resolve POSIX compliance issues concerning process IDs and thread IDs. A section in the Release Notes elaborates on a related issue with file record locking in multi-threaded applications. AMD64 kernels are now configured with NUMA support, S390 kernels now have CONFIG_BLK_STATS enabled, and DMA capability was restored in the IA64 agpgart driver. The following drivers have been upgraded to new versions: cmpci ------ 6.36 e100 ------- 2.3.30-k1 e1000 ------ 5.2.20-k1 ips -------- 6.10.52 megaraid --- v1.18k megaraid2 -- v2.00.9 All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0986 CVE-2004-0001 Infinite recursion in SCSI mid layer Assert failure in transaction.c:1224: "!jh->b_committed_data C write fails for records gt 2 GB hang in ptrace for gdb traceback SMP Kernel hang on shutdown with Intel SRCZCR Raid Controller Broadcom tg3 driver duplex won't set SCSI I/O stall problem Base driver button not loaded LTC4829-RHEL 3 HANGS under heavy stress load No disk/partition statistics in /proc/partitions Millisecond timer resolution on ia64 No AGP support on Tyan 2885 K8W running processes are not listed in /proc, with ps or top Kernel Panic when running pulse deamon cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0935 to this issue. Users of Net-SNMP are advised to upgrade to these errata packages containing Net-SNMP 5.0.9, which is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0935 net-snmp unauthorised access to mibs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0924 to this issue. Users are advised to upgrade to the erratum packages, which contain patches from Debian that correct these bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0924 CAN-2003-0924 netpbm temporary file vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Gaim is an instant messenger client that can handle multiple protocols. Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server. The issues include: Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0008 to this issue. All users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues. Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0006 CVE-2004-0007 CVE-2004-0008 CAN-2004-0006/7/8 Multiple vulnerabilities in Gaim cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate, designed to find files on a system via a central database. Patrik Hornik discovered a vulnerability in Slocate versions up to and including 2.7 where a carefully crafted database could overflow a heap-based buffer. A local user could exploit this vulnerability to gain "slocate" group privileges and then read the entire slocate database. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0848 to this issue. Users of Slocate should upgrade to these erratum packages, which contain Slocate version 2.7 with the addition of a patch from Kevin Lindsay that causes slocate to drop privileges before reading a user-supplied database. For Red Hat Enterprise Linux 2.1 these packages also fix a buffer overflow that affected unpatched versions of Slocate prior to 2.7. This vulnerability could also allow a local user to gain "slocate" group privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0056 to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0848 CVE-2003-0056 CAN-2003-0848 slocate buffer overflow CAN-2003-0056 buffer overflow in slocate cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting. A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue. Users are advised to upgrade to the erratum packages, which contain backported security fixes and are not vulnerable to these issues. Red Hat would like to thank Craig Southeren of the OpenH323 project for providing the fixes for these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0097 CAN-2004-0097 PWlib/OpenH323 vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mutt is a text-mode mail user agent. A bug was found in the index menu code in versions of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0078 to this issue. It is recommended that all mutt users upgrade to these updated packages, which contain a backported security patch and are not vulnerable to this issue. Red Hat would like to thank Niels Heinen for reporting this issue. Note: mutt-1.2.5.1 in Red Hat Enterprise Linux 2.1 is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0078 CAN-2004-0078 Mutt can be remotely crashed cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Sysstat is a tool for gathering system statistics. Isag is a utility for graphically displaying these statistics. A bug was found in the Red Hat sysstat package post and trigger scripts, which used insecure temporary file names. A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0107 to this issue. While fixing this issue, a flaw was discovered in the isag utility, which also used insecure temporary file names. A local attacker could overwrite files that the user running isag has write access to using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0108 to this issue. Other issues addressed in this advisory include: * iostat -x should return all partitions on the system (up to a maximum of 1024) * sar should handle network device names with more than 8 characters properly * mpstat should work correctly with more than 7 CPUs as well as generate correct statistics when accessing individual CPUs. This issue only affected Red Hat Enterprise Linux 2.1 * The sysstat package was not built with the proper dependencies; therefore, it was possible that isag could not be run because the necessary tools were not available. Therefore, isag was split off into its own subpackage with the required dependencies in place. This issue only affects Red Hat Enterprise Linux 2.1. Users of sysstat and isag should upgrade to these updated packages, which contain patches to correct these issues. NOTE: In order to use isag on Red Hat Enterprise Linux 2.1, you must install the sysstat-isag package after upgrading. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0107 CVE-2004-0108 sysstat package post scripts, trigger scripts use insecure tmp files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 mod_python embeds the Python language interpreter within the Apache httpd server. A bug has been found in mod_python versions 2.7.10 and earlier that can lead to a denial of service vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to this issue. Although Red Hat Enterprise Linux shipped with a version of mod_python that contains this bug, our testing was unable to trigger the denial of service vulnerability. However, mod_python users are advised to upgrade to these errata packages, which contain a backported patch that corrects this bug. Low Copyright 2004 Red Hat, Inc. CVE-2003-0973 CVE-2004-0096 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. iDefense discovered two buffer overflows in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0083 and CAN-2004-0084 to these issues. Additionally David Dawes discovered additional flaws in reading font files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0106 to these issues. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. Red Hat would like to thank David Dawes from XFree86 for the patches and notification of these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0083 CVE-2004-0084 CVE-2004-0106 CAN-2004-0083 XFree86 font.alias overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team discovered an issue that affects version 3.0.0 and 3.0.1 of Samba. If an account for a user is created, but marked as disabled using the mksmbpasswd script, it is possible for Samba to overwrite the user's password with the contents of an uninitialized buffer. This might lead to a disabled account becoming enabled with a password that could be guessed by an attacker. Although this is likely to be a low risk issue for most Samba users, we have provided updated packages, which contain a backported patch correcting this issue. Red Hat would like to thank the Samba team for reporting this issue and providing us with a patch. Note: Due to a packaging error in samba-3.0.0-14.3E, the winbind daemon is not automatically restarted when the Samba package is upgraded. After up2date has installed the samba-3.0.2-4.3E packages, you must run "/sbin/service winbind condrestart" as root to restart the winbind daemon. Low Copyright 2004 Red Hat, Inc. CVE-2004-0082 CAN-2004-0082 mksmbpasswd vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue. For the IBM S/390 and IBM eServer zSeries architectures, the upstream version of the s390utils package (which fixes a bug in the zipl bootloader) is also included. Important Copyright 2004 Red Hat, Inc. CVE-2004-0077 OOM killer strikes with lots of free swap space RHEL 3.0 smp hang using prctl( PR_SET_PDEATHSIG CAN-2004-0077 Linux kernel do_mremap VMA limit local privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The nfs-utils package contains the rpc.mountd program, which implements the NFS mount protocol. A flaw was discovered in versions of rpc.mountd in nfs-utils versions after 1.0.3 and prior to 1.0.6. When mounting a directory, rpc.mountd could crash if the reverse lookup of the client in DNS failed to match the forward lookup. An attacker who has the ability to mount remote directories from a server could make use of this flaw to cause a denial of service by making rpc.mountd crash. Users are advised to upgrade to these updated packages, which contain nfs-utils 1.0.6 and is not vulnerable to this issue. NOTE: Red Hat Enterprise Linux 2.1 includes a version of rpc.mountd that is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-0154 rpc.mountd killed by remote mount request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 allows a remote denial of service attack against an SSL-enabled server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0113 to this issue. This update also includes various bug fixes, including: - Improvements to the mod_expires, mod_dav, mod_ssl, and mod_proxy modules - A fix for a bug causing core dumps during configuration parsing on the IA64 platform - An updated version of mod_include fixing several edge cases in the SSI parser Additionally, the mod_logio module is now included. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0113 Invalid paths in config_vars.mk crash build of mod_jk mod_expires headers not set when used in conjunction with mod_proxy SRPMS: test for MMN version it too fragile Satisfy keyword in httpd.conf causes apache to segfault on load pcre conflict between httpd and php CAN-2004-0113 mod_ssl Denial of Service attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0110 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. Thomas Kristensen discovered a bitmap file that would cause versions of gdk-pixbuf prior to 0.20 to crash. To exploit this flaw, an attacker would need to get a victim to open a carefully-crafted BMP file in an application that used gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111 to this issue. Users are advised to upgrade to these updated packages containing gdk-pixbuf version 0.22, which is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0111 CAN-2004-0111 gdk-pixbuf can crash with malicious BMP file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is a Web browser and mail reader, designed for standards compliance, performance and portability. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.4.2 and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2003-0564 CVE-2003-0594 CVE-2004-0191 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that may lead to a denial of service attack (infinite loop). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0081 to this issue. This issue affects only the OpenSSL compatibility packages shipped with Red Hat Enterprise Linux 3. These updated packages contain patches provided by the OpenSSL group that protect against these issues. Additionally, the version of libica included in the OpenSSL packages has been updated to 1.3.5. This only affects IBM s390 and IBM eServer zSeries customers and is required for the latest openCryptoki packages. NOTE: Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or restart their systems after installing these updates. Important Copyright 2004 Red Hat, Inc. CVE-2004-0079 CVE-2004-0081 CVE-2004-0112 CAN-2004-0079/0081/0112 Flaws in OpenSSL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs. Users of Squid should update to these erratum packages which are not vulnerable to this issue. In addition, these packages contain a new Access Control type, "urllogin", which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information. Such URLs are often used by fraudsters to trick web users into revealing valuable personal data. Note that the default Squid configuration does not make use of this new access control type. You must explicitly configure Squid with ACLs that use this new type, in accordance with your own site policies. Low Copyright 2004 Red Hat, Inc. CVE-2004-0189 CAN-2004-0189 Squid ACL bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Stefan Esser reported that Ethereal versions 0.10.1 and earlier contain stack overflows in the IGRP, PGM, Metflow, ISUP, TCAP, or IGAP dissectors. On a system where Ethereal is being run a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0176 to this issue. Jonathan Heussser discovered that a carefully-crafted RADIUS packet could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0365 to this issue. Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0367 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version of Ethereal that is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0176 CVE-2004-0365 CVE-2004-0367 CVE-2004-1761 CAN-2004-0176 Ethereal dissector overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing "../". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0405 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0180 CVE-2004-0405 CAN-2004-0180 Malicious CVS server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. OpenOffice internally uses inbuilt code from neon, an HTTP and WebDAV client library. Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using OpenOffice. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0179 to this issue. Users of OpenOffice are advised to upgrade to these updated packages, which contain a patch correcting this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0179 CAN-2004-0179 neon format string vulnerability affects openoffice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 IPSEC uses strong cryptography to provide both authentication and encryption services. With versions of ipsec-tools prior to 0.2.3, it was possible for an attacker to cause unauthorized deletion of SA (Security Associations.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0164 to this issue. With versions of ipsec-tools prior to 0.2.5, the RSA signature on x.509 certificates was not properly verified when using certificate based authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0155 to this issue. When ipsec-tools receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a extremely large value in the length field, racoon may exceed operating system resource limits and be terminated, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0403 to this issue. User of IPSEC should upgrade to this updated package, which contains ipsec-tools version 0.25 along with a security patch for CAN-2004-0403 which resolves all these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0155 CVE-2004-0164 CVE-2004-0403 CAN-2004-0155/CAN-2004-0164/CAN-2004-0403 IPSEC vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges. Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink. Users should upgrade to this new version of utempter, which fixes this vulnerability. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0233 CAN-2004-0233 utempter directory traversal symlink attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue. An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue. Users of LHA should update to this updated package which contains backported patches not vulnerable to these issues. Red Hat would like to thank Ulf Harnhammar for disclosing and providing test cases and patches for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0234 CVE-2004-0235 CAN-2004-0234/0235 lha security flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code. Users are advised to upgrade to these updated packages that contain a backported security fix not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0421 CAN-2004-0421 libpng can access out of bounds memory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. iSEC Security Research discovered a flaw in the ip_setsockopt() function code of the Linux kernel versions 2.4.22 to 2.4.25 inclusive. This flaw also affects the 2.4.21 kernel in Red Hat Enterprise Linux 3 which contained a backported version of the affected code. A local user could use this flaw to gain root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0424 to this issue. iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that root privileges may be obtained if the filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0109 CVE-2004-0424 CAN-2004-0109 kernel iso9660 buffer overflow CAN-2004-0424 Linux kernel setsockopt MCAST_MSFILTER integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the second regular kernel update to Red Hat Enterprise Linux version 3. It contains several minor security fixes, many bug fixes, device driver updates, new hardware support, and the introduction of Linux Syscall Auditing support. There were bug fixes in many different parts of the kernel, the bulk of which addressed unusual situations such as error handling, race conditions, and resource starvation. The combined effect of the approximately 140 fixes is a strong improvement in the reliability and durability of Red Hat Enterprise Linux. Some of the key areas affected are disk drivers, network drivers, USB support, x86_64 and ppc64 platform support, ia64 32-bit emulation layer enablers, and the VM, NFS, IPv6, and SCSI subsystems. A significant change in the SCSI subsystem (the disabling of the scsi-affine-queue patch) should significantly improve SCSI disk driver performance in many scenarios. There were 10 Bugzillas against SCSI performance problems addressed by this change. The following drivers have been upgraded to new versions: bonding ---- 2.4.1 cciss ------ 2.4.50.RH1 e1000 ------ 5.2.30.1-k1 fusion ----- 2.05.11.03 ipr -------- 1.0.3 ips -------- 6.11.07 megaraid2 -- 2.10.1.1 qla2x00 ---- 6.07.02-RH1 tg3 -------- 3.1 z90crypt --- 1.1.4 This update introduces support for the new Intel EM64T processor. A new "ia32e" architecture has been created to support booting on platforms based on either the original AMD Opteron CPU or the new Intel EM64T CPU. The existing "x86_64" architecture has remained optimized for Opteron systems. Kernels for both types of systems are built from the same x86_64-architecture sources and share a common kernel source RPM (kernel-source-2.4.21-15.EL.x86_64.rpm). Other highlights in this update include a major upgrade to the SATA infrastructure, addition of IBM JS20 Power Blade support, and creation of an optional IBM eServer zSeries On-Demand Timer facility for reducing idle CPU overhead. The following security issues were addressed in this update: A minor flaw was found where /proc/tty/driver/serial reveals the exact character counts for serial links. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0461 to this issue. The kernel strncpy() function in Linux 2.4 and 2.5 does not pad the target buffer with null bytes on architectures other than x86, as opposed to the expected libc behavior, which could lead to information leaks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0465 to this issue. A minor data leak was found in two real time clock drivers (for /dev/rtc). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0984 to this issue. A flaw in the R128 Direct Render Infrastructure (dri) driver could allow local privilege escalation. This driver is part of the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to this issue. A flaw in ncp_lookup() in ncpfs could allow local privilege escalation. The ncpfs module allows a system to mount volumes of NetWare servers or print to NetWare printers and is in the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0010 to this issue. (Note that the kernel-unsupported package contains drivers and other modules that are unsupported and therefore might contain security problems that have not been addressed.) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0461 CVE-2003-0465 CVE-2003-0984 CVE-2003-1040 CVE-2004-0003 CVE-2004-0010 Disk READ performance worse compared with 2.4.20-18.9smp The synchronous write() system call of RHEL3.0 is slower than that of RHEL2.1. ia64 kernel stops allocating memory too early when overcommit_memory set to strict 'cp -p' returns error when destination is an nfs directory Random stall during boot-up MINSIGSTKSZ mismatch between ia32 and ia64 3ware raid extremely low throughput Typo in module parameter of scsi_mod module PATCH: LTC5351-Large external array causes SIGILL in 32-bit [PATCH] LTC5381- rhel 3 will need to pick up the cyclone-lpj-fix patch clock is running to fast on IBM x445 tg3 driver fails to autonegotiate correctly ada compiler crashes on even hello-world [PATCH] alternate signal stack bug corrupts RNaT bits ACL over NFS problem Invalid ICMP type 11 messages echo'd to console /proc/pid/statm can return negative values [PATCH] oops in IUCV code avoid hang during initialization on I/O errors Duplicate get_partition_list bug to track Bugzilla 111342 in Taroon - RHEL 3.0 using v6.06.00b11 driver attached to McData switch doesn't log in or scan devices successfully. (TG3) driver doesn't work properly with bcm5700 nic reservation error code, corrupts request queue RHEL3 kernel not preventing or recovering from fork bomb when ulimit used LTC5732 - MMIO alignment error when inserting the olympic TR module. [PATCH] RHEL3 ia64: 32 bit applications don't dump core properly [PATCH] RHEL3/ia64: strace -f on multithreaded 32 bit applications doesn't work CAN-2003-0461 /proc reveals char count CAN-2003-0465 kernel strncpy padding CAN-2003-0984 minor /dev/rtc leak lousy read performance on megaraid with 2.4.21-4.0.2.EL netdump - various race conditions that lead to hangs in panic()/die() too many ipv6 aliases cause kernel oops CAN-2004-0003 r128 DRI depmod is not run for kernel-2.4.21-9.EL from Quaterly Update #1 [PATCH] Excutable compiled on x86 can cause kernel seg fault on x86_64 Raw device performance poor under WS 3 Dreamworks IT#29689 LSI Megaraid(2) performance subpar in RHEL3, using RHEL3 kernel Bad performance with Q1 update kernel (-9EL) zfcp updates for RHEL3 U2 Panic in elf_core_copy_regs() core dumping ia32 binary date returns future year of 586562 RHEL 3.0 default QLogic driver v6.06.00b11 spews sg_low_free and QUEUE FULL messages at load time. Running I/O on RHEL 3.0 and using the v6.06.00b11 driver, the driver ran out of memory and began arbitrarily killing processes. bad disk I/O performance with the 2.4.21-4.ELsmp kernel strange load - kswapd/IO ? CAN-2004-0010 ncpfs hole (unsupported) tg3 driver doesn't support bonding driver's ALB mode P4 2.8ghz HT, Using RHEL WS 3.0 Update 1, latest SMP Kernel, see only 1 CPU frequent kernel panics system needlessly thrashing swap partition MTRRs not initialized correctly kswapd in state R and D load constant at 1+ Machine doesn't boot SMP Kernel after installation [PATCH] kernel panics when removing expired IPsec SAs /proc/cpuinfo vendor_id is wrong. shows $ kernel module binfmt_misc missing nfs peformance very bad on EL3 Runaway processes with USB console on Blade Center servers freeze (only respond to ping and sysrq) periodically cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Stefan Esser discovered a flaw in cvs where malformed "Entry" lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396 to this issue. Users of CVS are advised to upgrade to this updated package, which contains a backported patch correcting this issue. Red Hat would like to thank Stefan Esser for notifying us of this issue and Derek Price for providing an updated patch. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0396 CAN-2004-0396 CVS pserver heap overflow via Entry/Is-modified/Unchanged cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Rsync is a program for synchronizing files over a network. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot. This could allow a remote attacker to write files outside of the module's "path", depending on the privileges assigned to the rsync daemon. Users not running an rsync daemon, running a read-only daemon, or running a chrooted daemon are not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0426 to this issue. Users of Rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0426 CAN-2004-0426 rsync directory traversal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. Tcpdump v3.8.1 and earlier versions contained multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP would try to read beyond the end of the packet capture buffer and subsequently crash. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0183 CVE-2004-0184 CAN-2004-0183/0184 tcpdump ISAKMP crash CAN-2004-0183/0184 tcpdump ISAKMP crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed "Entry" lines which lead to a missing NULL terminator. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue. Stefan Esser and Sebastian Krahmer conducted an audit of CVS and fixed a number of issues that may have had security consequences. Among the issues deemed likely to be exploitable were: -- a double-free relating to the error_prog_name string (CAN-2004-0416) -- an argument integer overflow (CAN-2004-0417) -- out-of-bounds writes in serv_notify (CAN-2004-0418). An attacker who has access to a CVS server may be able to execute arbitrary code under the UID on which the CVS server is executing. Users of CVS are advised to upgrade to this updated package, which contains backported patches correcting these issues. Red Hat would like to thank Stefan Esser, Sebastian Krahmer, and Derek Price for auditing, disclosing, and providing patches for these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0414 CVE-2004-0416 CVE-2004-0417 CVE-2004-0418 CVE-2004-0778 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. The MMSE dissector in Ethereal releases 0.10.1 through 0.10.3 contained a buffer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0507 to this issue. In addition, other flaws in Ethereal prior to 0.10.4 were found that could cause it to crash in response to carefully crafted SIP (CAN-2004-0504), AIM (CAN-2004-0505), or SPNEGO (CAN-2004-0506) packets. Users of Ethereal should upgrade to these updated packages, which contain backported security patches that correct these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0504 CVE-2004-0505 CVE-2004-0506 CVE-2004-0507 CAN-2004-0504/5/6/7 Ethereal 0.10.4 contains security fixes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system. Bugs have been fixed in the krb5_aname_to_localname library function. Specifically, buffer overflows were possible for all Kerberos versions up to and including 1.3.3. The krb5_aname_to_localname function translates a Kerberos principal name to a local account name, typically a UNIX username. This function is frequently used when performing authorization checks. If configured with mappings from particular Kerberos principals to particular UNIX user names, certain functions called by krb5_aname_to_localname will not properly check the lengths of buffers used to store portions of the principal name. If configured to map principals to user names using rules, krb5_aname_to_localname would consistently write one byte past the end of a buffer allocated from the heap. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0523 to this issue. Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. Users of Kerberos are advised to upgrade to these erratum packages which contain backported security patches to correct these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0523 CAN-2004-0523 MIT Kerberos 5: buffer overflows in krb5_aname_to_localname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities have been found which affect the version of SquirrelMail shipped with Red Hat Enterprise Linux 3. An SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0521 to this issue. A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute script as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0519 and CAN-2004-0520 to these issues. All users of SquirrelMail are advised to upgrade to the erratum package containing SquirrelMail version 1.4.3a which is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0519 CVE-2004-0520 CVE-2004-0521 CAN-2004-0519/20/21 XSS and SQL issues in Squirrelmail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0541 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the helper. Users of Squid should update to this errata package which contains a backported patch that is not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0541 CAN-2004-0541 Squid NTLM authentication helper overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During an audit of Red Hat Linux updates, the Fedora Legacy team found a security issue in libpng that had not been fixed in Red Hat Enterprise Linux 3. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. Note: this issue does not affect Red Hat Enterprise Linux 2.1 Users are advised to upgrade to these updated packages that contain a backported security fix and are not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2002-1363 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0554 to this issue. Another flaw was discovered in an error path supporting the clone() system call that allowed local users to cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user's program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0427 to this issue. Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. Although the majority of these resides in drivers unsupported in Red Hat Enterprise Linux 3, the flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0495 to these issues. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. These packages contain backported patches to correct these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0427 CVE-2004-0495 CVE-2004-0554 CAN-2004-0554 local user can get the kernel to hang [PATCH] CAN-2004-0554: FPU exception handling local DoS last RH kernel affected bug CAN-2004-0495 Sparse security fixes backported for 2.4 kernel cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. Evgeny Demidov discovered a flaw in the internal routine used by the Samba Web Administration Tool (SWAT) in Samba versions 3.0.2 through 3.0.4. When decoding base-64 data during HTTP basic authentication, an invalid base-64 character could cause a buffer overflow. If the SWAT administration service is enabled, this flaw could allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0600 to this issue. Additionally, the Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0686 to this issue. This release includes the updated upstream version 3.0.4 together with backported security patches to correct these issues as well as a number of post-3.0.4 bug fixes from the Samba subversion repository. The most important bug fix allows Samba users to change their passwords if Microsoft patch KB 828741 (a critical update) had been applied. All users of Samba should upgrade to these updated packages, which resolve these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0600 CVE-2004-0686 samba spec needs epoch in versioned dependecies samba consumes all memory then hangs z390 vmachine. Missing BuildRequires: krb5-devel local variable used before set smb.conf(5) manual page bug if you do not use UTF-8 based locale spec file should install libsmbclient.so with executable permissions Need 'printing = cups' and 'cups options = raw' Samba is unable to read international characters in filenames Users get error message when changing passwords after applying KB828741 NTBackup cannot access samba shares Requesting updated packages to 3.0.4 CAN-2004-0600 Buffer Overrun in memcpy() CAN-2004-0686 buffer overflow in 'mangling method = hash' code. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 IPSEC uses strong cryptography to provide both authentication and encryption services. When configured to use X.509 certificates to authenticate remote hosts, ipsec-tools versions 0.3.3 and earlier will attempt to verify that host certificate, but will not abort the key exchange if verification fails. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0607 to this issue. Users of ipsec-tools should upgrade to this updated package which contains a backported security patch and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0607 CAN-2004-0607 racoon authentication bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0769 CVE-2004-0771 CVE-2004-0694 CVE-2004-0745 CAN-2004-0694 Buffer overflow in lha (CAN-2004-0745, CAN-2004-0769, CAN-2004-0771) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. A stack buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0488 CVE-2004-0493 CAN-2004-0488 mod_ssl ssl_util_uuencode_binary() stack overflow CAN-2004-0493 folding header DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Additionally, this update includes the following enhancements and bug fixes: - included an improved version of the mod_cgi module that correctly handles concurrent output on stderr and stdout - included support for direct lookup of SSL variables using %{SSL:...} from mod_rewrite, or using %{...}s from mod_headers - restored support for use of SHA1-encoded passwords - added the mod_ext_filter module Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0748 4097+ bytes of stderr from cgi script causes script to hang Apache autoindex corrupt when > 2GB file in tree HTTP authentication against password file with SHA1 password hashes fails please enable mod_ext_filter mod_ssl environment variables not available in mod_rewrite rules cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CAN-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant. This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0642 CVE-2004-0643 CVE-2004-0644 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0497 to this issue. Only Red Hat Enterprise Linux systems that are configured to share file systems via NFS are affected by this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0497 CAN-2004-0497 inode_change_ok missing checks allows GID changes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNOME VFS is the GNOME virtual file system. It provides a modular architecture and ships with several modules that implement support for file systems, HTTP, FTP, and others. The extfs backends make it possible to implement file systems for GNOME VFS using scripts. Flaws have been found in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. An attacker who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts. Low Copyright 2004 Red Hat, Inc. CVE-2004-0494 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. The SNMP dissector in Ethereal releases 0.8.15 through 0.10.4 contained a memory read flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0635 to this issue. The SMB dissector in Ethereal releases 0.9.15 through 0.10.4 contained a null pointer flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0634 to this issue. The iSNS dissector in Ethereal releases 0.10.3 through 0.10.4 contained an integer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0633 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version that is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0633 CVE-2004-0634 CVE-2004-0635 CAN-2004-0633/34/35 Multiple problems in Ethereal 0.10.4 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. For Red Hat Enterprise Linux 3, this Apache memory exhaustion issue was fixed by a previous update, RHSA-2004:342. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Red Hat does not believe that this flaw is exploitable in the default configuration of Red Hat Enterprise Linux 3. Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0594 CVE-2004-0595 CAN-2004-0594 PHP memory_limit issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Gaim is an instant messenger client that can handle multiple protocols. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0500 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0785 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0784 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0500 CVE-2004-0754 CVE-2004-0784 CVE-2004-0785 CAN-2004-0500 Gaim MSN protocol vulnerabilities cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. For users of Red Hat Enterprise Linux 2.1 these patches also include a more complete fix for the out of bounds memory access flaw (CAN-2002-1363). All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2002-1363 CVE-2004-0597 CVE-2004-0598 CVE-2004-0599 CAN-2004-0597/98/99 multiple problems in libpng 1.2.5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0557 to these issues. All users of sox should upgrade to these updated packages, which resolve these issues as well as fix a number of minor bugs. Important Copyright 2004 Red Hat, Inc. CVE-2004-0557 largefile support missing SoX's soxplay doesn't except paths containg spaces sox RPM does not install soxmix -r option dumps core on x86_64 CAN-2004-0557 buffer overflows in sox cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0689 CVE-2004-0746 CVE-2004-0721 CAN-2004-0721 Konqueror frame injection spoofing CAN-2004-0689 Predictable temporary filenames CAN-2004-0746 Konqueror Cross-Domain Cookie Injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CAN-2004-0178). A possible NULL-pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CAN-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0178 CVE-2004-0415 CVE-2004-0447 CVE-2004-0535 CVE-2004-0587 CAN-2004-0447 [PATCH] IPF kernel crashes under gdb CAN-2004-0178 Soundblaster 16 local DoS CAN-2004-0535 e1000 kernel memory information leak CAN-2004-0587 Bad permissions on qla* drivers CAN-2004-0447 NULL-pointer dereference in unwind.c CAN-2004-0415 file offset pointer signedness issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue. Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues. Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0691 CVE-2004-0692 CVE-2004-0693 CAN-2004-0691 BMP decoder heap overflow CAN-2004-0692 XPM decoder integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A number of flaws have been found in Mozilla 1.4 that have been fixed in the Mozilla 1.4.3 release: Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) All users are advised to update to these erratum packages which contain a snapshot of Mozilla 1.4.3 including backported fixes and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0597 CVE-2004-0599 CVE-2004-0718 CVE-2004-0722 CVE-2004-0757 CVE-2004-0758 CVE-2004-0759 CVE-2004-0760 CVE-2004-0761 CVE-2004-0762 CVE-2004-0763 CVE-2004-0764 CVE-2004-0765 CAN-2004-0758 Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7 Numerous security issues fixed in Mozilla 1.4.3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The redhat-config-nfs package includes a graphical user interface for creating, modifying, and deleting nfs shares. John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to this issue. Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports. All users of redhat-config-nfs are advised to upgrade to these updated packages as well as checking their NFS shares directly or via the /etc/exports file for any incorrectly set options. Low Copyright 2004 Red Hat, Inc. CVE-2004-0750 CVE-2004-0750 [PATCH] /etc/exports has incorrect syntax for multiple hosts with a single mount point cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The rsync program synchronizes files over a network. Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0792 to this issue. Users of rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0792 CAN-2004-0792 rsync path sanitizing bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore. Low Copyright 2004 Red Hat, Inc. CVE-2004-0755 CAN-2004-0755 ruby insecure file permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0752 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages which contain a backported patch to correct this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0752 CAN-2004-0752 openoffice temporary file information leakage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. [Updated 15th September 2004] Packages have been updated to correct a bug which caused the xpm loader to fail. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) These packages have also been updated to correct a bug which caused the xpm loader to fail. Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CAN-2004-0753 bmp image loader DOS CAN-2004-0782/3/8 GTK XPM decoder issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. All users of cups should upgrade to these updated packages, which contain a backported patch as well as a fix for a non-exploitable off-by-one bug. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0558 CAN-2004-0558 DOS in cups browsing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0796 to this issue. Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0796 CAN-2004-0796 DOS attack open to certain malformed messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0832 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the vulnerable helper. Users of Squid should update to this erratum package, which contains a backported patch and is not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0832 CAN-2004-0832 Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50: Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0747 CVE-2004-0751 CVE-2004-0786 CVE-2004-0809 CAN-2004-0747/51/86 Apache issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Imlib is an image loading and rendering library. Several heap overflow flaws were found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0817 to this issue. Users of imlib should update to this updated package which contains backported patches and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0817 CAN-2004-0817 heap overflow in BMP decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788) This updated gtk2 package also fixes a few key combination bugs on various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was configured to use the Swiss German, Swiss French, or France French keyboard layouts, Mode_Switched characters were unable to be entered within GTK based applications. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CAN-2004-0753 bmp image loader DOS CAN-2004-0782/3/8 GTK XPM decoder issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team has discovered a denial of service bug in the smbd daemon. A defect in smbd's ASN.1 parsing allows an attacker to send a specially crafted packet during the authentication request which will send the newly spawned smbd process into an infinite loop. Given enough of these packets, it is possible to exhaust the available memory on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0807 to this issue. Additionally the Samba team has also discovered a denial of service bug in the nmbd daemon. It is possible that an attacker could send a specially crafted UDP packet which could allow the attacker to anonymously crash nmbd. This issue only affects nmbd daemons which are configured to process domain logons. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0808 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-3.0.7, which is not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0807 CVE-2004-0808 CAN-2004-0807/8 Samba 3 DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0687, CAN-2004-0688, and CAN-2004-0692 to these issues. A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0419 to this issue. Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0419 CVE-2004-0687 CVE-2004-0688 CVE-2004-0692 CAN-2004-0419 xdm opens random tcp sockets xdm walks physical memory Radeon driver (7000m) TVDAC output too high for DELL Server CAN-2004-0687/8 libXpm stack and integer overflows. archexec script not in XFree86-devel package cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System. A heap overflow flaw has been discovered in the ImageMagick image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. Users of ImageMagick should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0827 CAN-2004-0827 heap overflow in BMP decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. Users of Mozilla should update to these updated packages, which contain backported patches and are not vulnerable to these issues. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0902 CVE-2004-0903 CVE-2004-0904 CVE-2004-0905 CVE-2004-0908 CAN-2004-0905 javascript link dragging information leak CAN-2004-0905 javascript link dragging information leak CAN-2004-0904 BMP integer overflows CAN-2004-0904 BMP integer overflows CAN-2004-0903 VCard buffer overflow CAN-2004-0903 VCard buffer overflow CAN-2004-0908 javascript clipboard information leakage CAN-2004-0908 javascript clipboard information leakage CAN-2004-0902 "send page" heap based buffer overflow CAN-2004-0902 "send page" heap based buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects, and user-defined types and functions). Trustix has identified improper temporary file usage in the make_oidjoins_check script. It is possible that an attacker could overwrite arbitrary file contents as the user running the make_oidjoins_check script. This script has been removed from the RPM file since it has no use to ordinary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0977 to this issue. Additionally, the following non-security issues have been addressed: - Fixed a low probability risk for loss of recently committed transactions. - Fixed a low probability risk for loss of older data due to failure to update transaction status. - A lock file problem that sometimes prevented automatic restart after a system crash has been fixed. All users of rh-postgresql should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0977 PostgreSQL can lose committed transactions a bug in rh-postgresql.spec file Postgres's init script does not remove stale PID file CAN-2004-0977 temporary file vulnerabilities in make_oidjoins_check script PostgreSQL data loss risk and minor security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0687, CAN-2004-0688, and CAN-2004-0914 to these issues. Users of OpenMotif are advised to upgrade to these erratum packages, which contain backported security patches to the embedded libXpm library. Important Copyright 2004 Red Hat, Inc. CVE-2004-0687 CVE-2004-0688 CVE-2004-0914 CAN-2004-0687 libxpm flaws affect OpenMotif (CAN-2004-0688, CAN-2004-0914) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect xpdf. CUPS contains a copy of the xpdf code used for parsing PDF files and is therefore affected by these bugs. An attacker who has the ability to send a malicious PDF file to a printer could cause CUPS to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. When set up to print to a shared printer via Samba, CUPS would authenticate with that shared printer using a username and password. By default, the username and password used to connect to the Samba share is written into the error log file. A local user who is able to read the error log file could collect these usernames and passwords. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0923 to this issue. These updated packages also include a fix that prevents some CUPS configuration files from being accidentally replaced. All users of CUPS should upgrade to these updated packages, which resolve these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0888 CVE-2004-0923 cups configuration mime.types was updated - not copied to mime.types.rpmnew CAN-2004-0923 Log file information disclosure CAN-2004-0888 xpdf issues affect cups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. At application startup, libsasl and libsasl2 attempts to build a list of all available SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable. In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue. Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0884 CAN-2004-0884 privilege escalation cyrus-sasl causes crashes with ldap cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This update includes fixes for several security issues: A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1068 to this issue. Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use thse flaws to gain read access to executable-only binaries or possibly gain privileges. (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073) A flaw when setting up TSS limits was discovered that affects AMD AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local user could use this flaw to cause a denial of service (crash) or possibly gain privileges. (CAN-2004-0812) An integer overflow flaw was discovered in the ubsec_keysetup function in the Broadcom 5820 cryptonet driver. On systems using this driver, a local user could cause a denial of service (crash) or possibly gain elevated privileges. (CAN-2004-0619) Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels prior to 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would require control of a connected Samba server. (CAN-2004-0883, CAN-2004-0949) SGI discovered a bug in the elf loader that affects kernels prior to 2.4.25 which could be triggered by a malformed binary. On architectures other than x86, a local user could create a malicious binary which could cause a denial of service (crash). (CAN-2004-0136) Conectiva discovered flaws in certain USB drivers affecting kernels prior to 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CAN-2004-0685) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0138 CVE-2004-0619 CVE-2004-0685 CVE-2004-0812 CVE-2004-0883 CVE-2004-0949 CVE-2004-1068 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CAN-2004-0619 Broadcom 5820 integer overflow CAN-2004-0138 Verify interpreter arch CAN-2004-0685 usb sparse fixes in 2.4 CAN-2004-0883 smbfs potential DOS (CAN-2004-0949) CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073) CAN-2004-0138 Program crashes the kernel CAN-2004-1068 Missing serialisation in unix_dgram_recvmsg cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue. An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue. Several minor bugs were also discovered, including: - In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed. - In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed. Users of the Apache HTTP server who are affected by these issues should upgrade to these updated packages, which contain backported patches. Important Copyright 2004 Red Hat, Inc. CVE-2004-0885 CVE-2004-0942 CVE-2004-1834 CAN-2004-0885 SSLCipherSuite bypass CAN-2004-0942 Memory consumption DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 MySQL is a multi-user, multi-threaded SQL database server. This update fixes a number of small bugs, including some potential security problems associated with careless handling of temporary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0381, CAN-2004-0388, and CAN-2004-0457 to these issues. A number of additional security issues that affect mysql have been corrected in the source package. These include CAN-2004-0835, CAN-2004-0836, CAN-2004-0837, and CAN-2004-0957. Red Hat Enterprise Linux 3 does not ship with the mysql-server package and is therefore not affected by these issues. This update also allows 32-bit and 64-bit libraries to be installed concurrently on the same system. All users of mysql should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0381 CVE-2004-0388 CVE-2004-0457 /etc/init.d/mysqld doesn't wait for server to start Always timeout error starting MySQL Daemon mysqlhotcopy of local Fedora DB broken after upgrade from RH9 [PATCH] Bug fix + enhancement for mysql_setpermission botched string concat ? CAN-2004-0381 mysqlbug temporary file vulnerability Cannot drop databases database service should start earlier linking with 'mysql --libs' doesent seem to work correctly. CAN-2004-0457 mysqlhotcopy insecure temporary file vulnerability Service mysqld restart CAN-2004-0835 MySQL flaws (CAN-2004-0836, CAN-2004-0837, CAN-2004-0957) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to this issue. All users are advised to upgrade to these errata packages, which contain fixes for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0803 CVE-2004-0886 CVE-2004-0804 CVE-2004-1307 CAN-2004-0803 buffer overflows in libtiff CAN-2004-0886 multiple integer overflows in libtiff cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. This package also contains the showmount program. Showmount queries the mount daemon on a remote host for information about the NFS (Network File System) server on the remote host. SGI reported that the statd daemon did not properly handle the SIGPIPE signal. A misconfigured or malicious peer could cause statd to crash, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1014 to this issue. Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit architectures, an improper integer conversion can lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0946 to this issue. Additionally, this updated package addresses the following issues: - The UID of the nfsnobody account has been fixed for 32-bit and 64-bit machines. Because the st_uid field of the stat structure is an unsigned integer, an actual value of -2 cannot be used when creating the account, so the decimal value of -2 is used. On a 32-bit machine, the decimal value of -2 is 65534 but on a 64-bit machine it is 4294967294. This errata enables the nfs-utils post-install script to detect the target architecture, so an appropriate decimal value is used. All users of nfs-utils should upgrade to this updated package, which resolves these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-1014 CVE-2004-0946 CAN-2004-1014 DoS in statd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 X-Chat is a graphical IRC chat client for the X Window System. A stack buffer overflow has been fixed in the SOCKSv5 proxy code. An attacker could create a malicious SOCKSv5 proxy server in such a way that X-Chat would execute arbitrary code if a victim configured X-Chat to use the proxy. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0409 to this issue. Users of X-Chat should upgrade to this erratum package, which contains a backported security patch, and is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-0409 CAN-2004-0409 XChat buffer overflow in socks5 proxy CAN-2004-0409 XChat buffer overflow in socks5 proxy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU libc packages (known as glibc) contain the standard C libraries used by applications. This errata fixes several bugs in the GNU C Library. Fixes include (in addition to enclosed Bugzilla entries): - fixed 32-bit atomic operations on 64-bit powerpc - fixed -m32 -I /usr/include/nptl compilation on AMD64 - NPTL <pthread.h> should now be usable in C++ code or -pedantic -std=c89 C - rwlocks are now available also in the _POSIX_C_SOURCE=200112L namespace - pthread_once is no longer throw(), as the callback routine might throw - pthread_create now correctly returns EAGAIN when thread couldn't be created because of lack of memory - fixed NPTL stack freeing in case of pthread_create failure with detached thread - fixed pthread_mutex_timedlock on i386 and AMD64 - Itanium gp saving fix in linuxthreads - fixed s390/s390x unwinding tests done during cancellation if stack frames are small - fixed fnmatch(3) backslash handling - fixed out of memory behaviour of syslog(3) - resolver ID randomization - fixed fim (NaN, NaN) - glob(3) fixes for dangling symlinks - catchsegv fixed to work with both 32-bit and 64-bit binaries on x86-64, s390x and ppc - fixed reinitialization of _res when using NPTL stack cache - updated bug reporting instructions, removed glibcbug script - fixed infinite loop in iconv with some options - fixed inet_aton return value - CPU friendlier busy waiting in linuxthreads on EM64T and IA-64 - avoid blocking/masking debug signal in linuxthreads - fixed locale program output when neither LC_ALL nor LANG is set - fixed using of unitialized memory in localedef - fixed mntent_r escape processing - optimized mtrace script - linuxthread_db fixes on ppc64 - cfi instructions in x86-64 linuxthreads vfork - some _POSIX_C_SOURCE=200112L namespace fixes All users of glibc should upgrade to these updated packages, which resolve these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0968 Weird string in date printing malloc exhausts memory to fast in mulithreaded program getnameinfo does not use /etc/hosts for lookup of V4MAPPED addresses __builtin_expect's prototype does not expect int args; assert feeds it just that glibc's traceback() fails when called from an exception handler glibc-nis-performance.patch causes gdm to hang glibc in RHEL 3 needs to have syslog.c updated to cvs version 1.42 CAN-2004-0968 temporary file vulnerabilities in catchsegv script cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0918 to this issue. All users of squid should update to this erratum package, which contains a backport of the security fix for this vulnerability. Important Copyright 2004 Red Hat, Inc. CVE-2004-0918 CAN-2004-0918 SNMP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Users of xpdf are advised to upgrade to this errata package, which contains a backported patch correcting these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0888 CAN-2004-0888 xpdf integer overflows (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gaim application is a multi-protocol instant messaging client. A buffer overflow has been discovered in the MSN protocol handler. When receiving unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0891 to this issue. This updated gaim package also fixes multiple user interface, protocol, and error handling problems, including an ICQ communication encoding issue. Additionally, these updated packages have compiled gaim as a PIE (position independent executable) for added protection against future security vulnerabilities. All users of gaim should upgrade to this updated package, which includes various bug fixes, as well as a backported security patch. Important Copyright 2004 Red Hat, Inc. CVE-2004-0891 CAN-2004-0891 MSN protocol buffer overflow. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An attacker who is able to send packets to the server could construct carefully constructed packets in such a way as to cause the server to consume memory or crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and CAN-2004-0961 to these issues. Users of FreeRADIUS should update to these erratum packages that contain FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects a number of bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0938 CVE-2004-0960 CVE-2004-0961 zlib-devel is missing from BuildRequires in spec file rebuilding freeradius picks up system libeap rather than package libeap Missing buildrequires in freediag radiusd.conf specifies other pam-auth than file installed in /etc/pam.d CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0914 to this issue. Users are advised to upgrade to these erratum packages, which contain backported security patches as well as other bug fixes. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0914 CAN-2004-0914 libXpm integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 libxml2 is a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml2 versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml2, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml2, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0989 CAN-2004-0989 multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. During a code audit, Stefan Esser discovered a buffer overflow in Samba versions prior to 3.0.8 when handling unicode filenames. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0882 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. Additionally, a bug was found in the input validation routines in versions of Samba prior to 3.0.8 that caused the smbd process to consume abnormal amounts of system memory. An authenticated remote user could exploit this bug to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0930 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0882 CVE-2004-0930 CAN-2004-0882 unicode parsing overflow CAN-2004-0930 wildcard remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The zip program is an archiving utility which can create ZIP-compatible archives. A buffer overflow bug has been discovered in zip when handling long file names. An attacker could create a specially crafted path which could cause zip to crash or execute arbitrary instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1010 to this issue. Users of zip should upgrade to this updated package, which contains backported patches and is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-1010 CAN-2004-1010 buffer overflow when creating archive containing very long filenames. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. A flaw was dicovered in the CGI module of Ruby. If empty data is sent by the POST method to the CGI script which requires MIME type multipart/form-data, it can get stuck in a loop. A remote attacker could trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0983 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to cgi.rb. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0983 CAN-2004-0983 Denial of Service in Ruby cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System. A buffer overflow flaw was discovered in the ImageMagick image handler. An attacker could create a carefully crafted image file with an improper EXIF information in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0981 to this issue. David Eisenstein has reported that our previous fix for CAN-2004-0827, a heap overflow flaw, was incomplete. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0981 CVE-2004-0827 CAN-2004-0827 heap overflow in BMP decoder CAN-2004-0981 buffer overflow in ImageMagick's EXIF parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gd packages contain a graphics library used for the dynamic creation of images such as PNG and JPEG. Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0990 to these issues. While researching the fixes to these overflows, additional buffer overflows were discovered in calls to gdMalloc. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported security patch, and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0941 CVE-2004-0990 CAN-2004-0990 integer overflow in PNG handling. CAN-2004-0941 additional overflows in gd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libxml package contains a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. Yuuichi Teranishi discovered a flaw in libxml versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0110 CVE-2004-0989 CAN-2004-0110 multiple buffer overflows (CAN-2004-0989) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imlib packages contain an image loading and rendering library. Pavel Kankovsky discovered several heap overflow flaws that were found in the imlib image handler. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1025 to this issue. Additionally, Pavel discovered several integer overflow flaws that were found in the imlib image handler. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1026 to this issue. Users of imlib should update to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-1025 CVE-2004-1026 CAN-2004-1025 Multiple imlib issues. (CAN-2004-1026) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a webmail package written in PHP. A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1036 to this issue. Additionally, the following issues have been addressed: - updated splash screens - HIGASHIYAMA Masato's patch to improve Japanese support - real 1.4.3a tarball - config_local.php and default_pref in /etc/squirrelmail/ to match upstream RPM. Please note that it is possible that upgrading to this package may remove your SquirrelMail configuration files due to a bug in the RPM package. Upgrading will prevent this from happening in the future. Users of SquirrelMail are advised to upgrade to this updated package which contains a patched version of SquirrelMail version 1.43a and is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-1036 The login page says Red Hat Linux instead of Fedora/RHEL config_local.php is not listed as a config file CAN-2004-1036 Cross Site Scripting in encoded text cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. Greg MacManus of iDEFENSE Labs has discovered an integer overflow bug in Samba versions prior to 3.0.10. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the Samba server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1154 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-1154 CAN-2004-1154 Samba authenticated remote root cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way that if parsed by a PHP script using the exif extension it could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1065 to this issue. An information disclosure bug was discovered in the parsing of "GPC" variables in PHP (query strings or cookies, and POST form data). If particular scripts used the values of the GPC variables, portions of the memory space of an httpd child process could be revealed to the client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0958 to this issue. A file access bug was discovered in the parsing of "multipart/form-data" forms, used by PHP scripts which allow file uploads. In particular configurations, some scripts could allow a malicious client to upload files to an arbitrary directory where the "apache" user has write access. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0959 to this issue. Flaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue. Various issues were discovered in the use of the "select" system call in PHP, which could be triggered if PHP is used in an Apache configuration where the number of open files (such as virtual host log files) exceeds the default process limit of 1024. Workarounds are now included for some of these issues. The "phpize" shell script included in PHP can be used to build third-party extension modules. A build issue was discovered in the "phpize" script on some 64-bit platforms which prevented correct operation. The "pcntl" extension module is now enabled in the command line PHP interpreter, /usr/bin/php. This module enables process control features such as "fork" and "kill" from PHP scripts. Users of PHP should upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0958 CVE-2004-0959 CVE-2004-1018 CVE-2004-1019 CVE-2004-1065 Include process control extension, pcntl phpize is broken on x86_64 fopen doesn't work across remote connections while under Apache CAN-2004-0958 PHP variable parsing CAN-2004-0959 PHP arbitrary file creation CAN-2004-1019 information disclosure issues CAN-2004-1065 ext/exif/exif.c - exif_read_data() overflow on long sectionname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: Petr Vandrovec discovered a flaw in the 32bit emulation code affecting the Linux 2.4 kernel on the AMD64 architecture. A local attacker could use this flaw to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1144 to this issue. ISEC security research discovered multiple vulnerabilities in the IGMP functionality which was backported in the Red Hat Enterprise Linux 3 kernels. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1137 to this issue. ISEC security research and Georgi Guninski independantly discovered a flaw in the scm_send function in the auxiliary message layer. A local user could create a carefully crafted auxiliary message which could cause a denial of service (system hang). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1016 to this issue. A floating point information leak was discovered in the ia64 architecture context switch code. A local user could use this flaw to read register values of other processes by setting the MFH bit. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0565 to this issue. Kirill Korotaev found a flaw in load_elf_binary affecting kernels prior to 2.4.26. A local user could create a carefully crafted binary in such a way that it would cause a denial of service (system crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1234 to this issue. These packages also fix issues in the io_edgeport driver, and a memory leak in ip_options_get. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0565 CVE-2004-1016 CVE-2004-1017 CVE-2004-1137 CVE-2004-1144 CVE-2004-1234 CVE-2004-1335 CAN-2004-0565 Information leak on Linux/ia64 CAN-2004-0565 Information leak on Linux/ia64 CAN-2004-1016 CMSG validation checks CAN-2004-1137 IGMP flaws CAN-2004-1144 x86-64 privilege escalation CAN-2004-1234 kernel denial of service vulnerability and exploit cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Secunia Research discovered a window injection spoofing vulnerability affecting the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1158 to this issue. A bug was discovered in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command. It is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or potentially send unsolicited email. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. A bug was discovered that can crash KDE screensaver under certain local circumstances. This could allow an attacker with physical access to the workstation to take over a locked desktop session. Please note that this issue only affects Red Hat Enterprise Linux 2.1. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0078 to this issue. All users of KDE are advised to upgrade to this updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1158 CVE-2004-1165 CVE-2005-0078 CAN-2004-1158 Frame injection vulnerability. CAN-2005-0078 password bypass in kde screensaver CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patch for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CAN-2004-1138 vim arbitrary command execution vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0971 CVE-2004-1189 CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit these buffer overflow vulnerabilities on x86 architectures. The lppasswd utility ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility does not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. In addition to these security issues, two other problems not relating to security have been fixed: Resuming a job with "lp -H resume", which had previously been held with "lp -H hold" could cause the scheduler to stop. This has been fixed in later versions of CUPS, and has been backported in these updated packages. The cancel-cups(1) man page is a symbolic link to another man page. The target of this link has been corrected. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 cancel-cups man page missing from errata package CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf packages should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. iDEFENSE has reported an integer overflow bug that affects libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin reported another integer overflow in the tiffdump utility. An atacker who has the ability to trick a user into opening a malicious TIFF file with tiffdump could possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CVE-2004-1183 libtiff: tiffdump integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdegraphics package contains graphics applications for the K Desktop Environment. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to this issue. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0886 CVE-2004-0804 CVE-2004-1307 CVE-2004-1308 CAN-2004-0803 buffer overflows in libtiff CAN-2004-0886 multiple integer overflows in libtiff cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4. Buffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0021 to this issue. Users of Exim are advised to update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0021 CVE-2005-0022 CAN-2005-0021 exim security issues (CAN-2005-0022) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The tetex packages (teTeX) contain an implementation of TeX for Linux or UNIX systems. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0064 CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way which, if parsed by a PHP script using the exif extension, could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1065 to this issue. Flaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue. Users of PHP should upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1018 CVE-2004-1019 CVE-2004-1065 CAN-2004-1018 Multiple issues in PHP (CAN-2004-1019 CAN-2004-1020) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The alsa-lib package provides a library of functions for communication with kernel sound drivers. A flaw in the alsa mixer code was discovered that caused stack execution protection to be disabled for the libasound.so library. The effect of this flaw is that stack execution protection, through NX or Exec-Shield, would be disabled for any application linked to libasound. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0087 to this issue Users are advised to upgrade to this updated package, which contains a patched version of the library which correctly enables stack execution protection. Important Copyright 2005 Red Hat, Inc. CVE-2005-0087 CAN-2005-0087 alsa-lib disables stack protection for it's users cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 PDF is displayed garbled, older xpdf works CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. infamous41md discovered integer overflow flaws in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to overflow a heap buffer when the file was opened by a victim. Due to the nature of the overflow it is unlikely that it is possible to use this flaw to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin discovered an integer overflow flaw in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CAN-2004-1183 libtiff integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. An attacker could create a text file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim using VIM. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain backported patches for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CVE-2005-0069 CAN-2004-1138 vim arbitrary command execution vulnerability CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. iSEC Security Research has discovered a buffer overflow bug in the way Mozilla handles NNTP URLs. If a user visits a malicious web page or is convinced to click on a malicious link, it may be possible for an attacker to execute arbitrary code on the victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1316 to this issue. Users of Mozilla should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1316 CAN-2004-1316 buffer overflow in mozilla cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CAN-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-0791 CVE-2004-1074 CVE-2004-1235 CVE-2004-1237 CVE-2005-0003 CAN-2004-1237 Kernel panic when stopping Lotus Domino 6.52 CAN-2004-1237 instant kernel panic from one line perl program - BAD CAN-2004-1237 kernel oops captured, system hangs CAN-2004-1237 kernel panic ( __audit_get_target) CAN-2004-1237 kernel panic caused by auditd CAN-2004-1237 kernel panic when Oracle agentctl is run CAN-2004-1235 isec.pl uselib() privilege escalation CAN-2005-0003 huge vma-in-executable bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1189 CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit these buffer overflow vulnerabilities on x86 architectures. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. The lppasswd utility was found to ignore write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility was found to not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. All users of cups should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 CVE-2005-0064 CVE-2005-0206 CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf issues affect cups (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files for GNOME. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. Users should update to this erratum package which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 CAN-2004-1125 gpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found when processing the /Encrypt /Length tag. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf package should upgrade to this updated package, which resolves this issue Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious webpage (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious Web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious Web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0211 Buffer overflow in WCCP recvfrom() call CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs packages include libraries for the K Desktop Environment. Two flaws were found in the sandbox environment used to run Java-applets in the Konqueror web browser. If a user has Java enabled in Konqueror and visits a malicious website, the website could run a carefully crafted Java-applet and obtain escalated privileges allowing reading and writing of arbitrary files with the privileges of the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1145 to this issue. A flaw was discovered in the FTP kioslave. KDE applications such as Konqueror could be forced to execute arbitrary FTP commands via a carefully crafted ftp URL. The URL could also be crafted in such a way as to send an arbitrary email via SMTP. An attacker could make use of this flaw if a victim visits a malicious web site. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1145 CVE-2004-1165 CAN-2004-1145 Konqueror Java Vulnerability CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf that also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0888 CVE-2004-1125 CVE-2005-0064 CAN-2004-1125 kpdf buffer overflows (CAN-2005-0064) CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The less utility is a text file browser that resembles more, but has extended capabilities. Victor Ashik discovered a heap based buffer overflow in less, caused by a patch added to the less package in Red Hat Enterprise Linux 3. An attacker could construct a carefully crafted file that could cause less to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0086 to this issue. Note that this issue only affects the version of less distributed with Red Hat Enterprise Linux 3. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. All users of the less package should upgrade to this updated package, which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0086 CAN-2005-0086 less crashes on scrolling of binary files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0759 to this issue. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0760 to this issue. A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0761 to this issue. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CVE-2005-0397 CVE-2005-0759 CVE-2005-0760 CVE-2005-0761 CVE-2005-0762 CAN-2005-0005 buffer overflow in ImageMagick CAN-2005-0397 ImageMagick format string flaw CAN-2005-0759 Denial of Service in .tiff images with invalid TAG CAN-2005-0760 Accessing memory outside of image during decoding of TIFF CAN-2005-0761 Bug in parsing PSD files CAN-2005-0762 Buffer overflow in SGI parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CAN-2005-0005 buffer overflow in ImageMagick cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. Users of cpio should upgrade to this updated package, which resolves this issue. Red Hat would like to thank Mike O'Connor for bringing this issue to our attention. Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rexec command failed with "Invalid Argument", because the code used sigaction() as an unsupported signal. The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. The rexec command prompted for username and password regardless of the ~/.netrc configuration file contents. This updated package contains a patch that no longer skips the ~/.netrc file. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 rcp gives incorrect error report when file system writes fai rexec fails with "Invalid Argument" RHEL3: rexec prompts for username/password before checking ~/.netrc RHEL3: rexecd does not set limits on /etc/security/limits malicious rsh server can cause rcp to write to arbitrary files (like scp CAN-2004-0175) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. All users of cpio should upgrade to this updated package, which resolves this issue, and adds support for large files (> 2GB). Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers. A bug was found in the way several of Ghostscript's utility scripts created temporary files. A local user could cause these utilities to overwrite files that the victim running the utility has write access to. The Common Vulnerabilities and Exposures project assigned the name CAN-2004-0967 to this issue. Additionally, this update addresses the following issue: A problem has been identified in the PDF output driver, which can cause output to be delayed indefinitely on some systems. The fix has been backported from GhostScript 7.07. All users of ghostscript should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0967 [7.05-20.1] gs gets stuck reading /dev/random CAN-2004-0967 temporary file vulnerabilities in various ghostscript scripts. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The ht://Dig system is a Web search and indexing system for a small domain or intranet. Michael Krax reported a cross-site scripting bug affecting htdig. An attacker could construct a carefully crafted URL which can cause a web browser to execute malicious script once visited. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0085 to this issue. Users of htdig should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0085 CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6 htdig packaging cleanups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered multiple vulnerabilities in the IGMP functionality. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1137 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. (CAN-2005-0001) iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. (CAN-2004-1235) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architecture was discovered. A local user could use this flaw to write to privileged IO ports. (CAN-2005-0204) The Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) or possibly modify the video output. (CAN-2004-1056) OGAWA Hirofumi discovered incorrect tables sizes being used in the filesystem Native Language Support ASCII translation table. This could lead to a denial of service (system crash). (CAN-2005-0177) Michael Kerrisk discovered a flaw in the 2.6.9 kernel which allows users to unlock arbitrary shared memory segments. This flaw could lead to applications not behaving as expected. (CAN-2005-0176) Improvements in the POSIX signal and tty standards compliance exposed a race condition. This flaw can be triggered accidentally by threaded applications or deliberately by a malicious user and can result in a denial of service (crash) or in occasional cases give access to a small random chunk of kernel memory. (CAN-2005-0178) The PaX team discovered a flaw in mlockall introduced in the 2.6.9 kernel. An unprivileged user could use this flaw to cause a denial of service (CPU and memory consumption or crash). (CAN-2005-0179) Brad Spengler discovered multiple flaws in sg_scsi_ioctl in the 2.6 kernel. An unprivileged user may be able to use this flaw to cause a denial of service (crash) or possibly other actions. (CAN-2005-0180) Kirill Korotaev discovered a missing access check regression in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch. On systems using the hugemem kernel, a local unprivileged user could use this flaw to cause a denial of service (crash). (CAN-2005-0090) A flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch can allow syscalls to read and write arbitrary kernel memory. On systems using the hugemem kernel, a local unprivileged user could use this flaw to gain privileges. (CAN-2005-0091) An additional flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch was discovered. On x86 systems using the hugemem kernel, a local unprivileged user may be able to use this flaw to cause a denial of service (crash). (CAN-2005-0092) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-1056 CVE-2004-1137 CVE-2004-1235 CVE-2005-0001 CVE-2005-0090 CVE-2005-0091 CVE-2005-0092 CVE-2005-0176 CVE-2005-0177 CVE-2005-0178 CVE-2005-0179 CVE-2005-0180 CVE-2005-0204 CAN-2004-1137 IGMP flaws CAN-2005-0090 4GB split DoS CAN-2004-1235 isec.pl do_brk() privilege escalation CAN-2004-1056 insufficient locking checks in DRM code CAN-2005-0001 page fault @ SMP privilege escalation CAN-2005-0176 unlock someone elses ipc memory CAN-2005-0180 2.6 scsi ioctl integer overflow and information leak CAN-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS random poolsize sysctl handler integer overflow CAN-2005-0091 4g4g PROT_NONE fix (CAN-2005-0092) 20041212 Clear ebp on sysenter return CAN-2005-0177 nls_ascii incorrect table size CAN-2005-0178 tty/setsid race cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird handled synthetic middle click events. It is possible for a malicious web page to steal the contents of a victim's clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0146 to this issue. A bug was found in the way Thunderbird handled cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. Users of Thunderbird are advised to upgrade to this updated package, which contains Thunderbird version 1.0 and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0146 CVE-2005-0149 CAN-2005-0149 Mail responds to cookie requests CAN-2005-0146 Synthetic middle-click event can steal clipboard contents cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 D-BUS is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0201 to this issue. In Red Hat Enterprise Linux 4, the per-user session bus is only used for printing notifications, therefore this issue would only allow a local user to examine or send additional print notification messages. Users of dbus are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0201 CAN-2005-0201 dbus information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156 ) CAN-2004-0452 File::Path::rmtree() issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 Potential insecurity in CGI.pm CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. The scp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses scp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also correct the following bugs: On systems where direct ssh access for the root user was disabled by configuration (setting "PermitRootLogin no"), attempts to guess the root password could be judged as sucessful or unsucessful by observing a delay. On systems where the privilege separation feature was turned on, the user resource limits were not correctly set if the configuration specified to raise them above the defaults. It was also not possible to change an expired password. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files OpenSSH does not allow users to change expired passwords when privsep is used SSH allows attacker to divine root password cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patche for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0069 CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0198 CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect Xpdf. CUPS contained a copy of the Xpdf code used for parsing PDF files and was therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-0888 to this issue, and Red Hat released erratum RHSA-2004:543 with updated packages. It was found that the patch used to correct this issue was not sufficient and did not fully protect CUPS running on 64-bit architectures. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. These updated packages also include a fix that prevents the CUPS initscript from being accidentally replaced. All users of CUPS on 64-bit architectures should upgrade to these updated packages, which contain a corrected patch and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf issues affect cups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared libraries and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. The update also fixes some minor problems, notably conflicts with SELinux. Users of postgresql should update to these erratum packages that contain patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A flaw was found in the ipv6 patch used with Postfix. When the file /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, this flaw could allow remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0337 to this issue. These updated packages also fix the following problems: - wrong permissions on doc directory - segfault when gethostbyname or gethostbyaddr fails All users of postfix should upgrade to these updated packages, which contain patches which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0337 newaliases segfaults when gethostbyname or gethostbyaddr fails CAN-2005-0337 open relay bug in postfix ipv6 patch Permissions on doc directory is wrong cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 RHEL4: rexecd does not set limits on /etc/security/limits RHEL4: rcp gives incorrect error report when file system writes fai cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. Users of squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdenetwork packages contain a collection of networking applications for the K Desktop Environment. A bug was found in the way kppp handles privileged file descriptors. A malicious local user could make use of this flaw to modify the /etc/hosts or /etc/resolv.conf files, which could be used to spoof domain information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0205 to this issue. Please note that the default installation of kppp on Red Hat Enterprise Linux uses consolehelper and is not vulnerable to this issue. However, the kppp FAQ provides instructions for removing consolehelper and running kppp suid root, which is a vulnerable configuration. Users of kdenetwork should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0205 CAN-2005-0205 kppp local domain name hijacking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the Firefox string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. A bug was found in the way Firefox handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Firefox allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527). A flaw was found in the way Firefox displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Firefox handles plug-in temporary files. A malicious local user could create a symlink to a victims directory, causing it to be deleted when the victim exits Firefox. (CAN-2005-0578) A bug has been found in one of Firefox's UTF-8 converters. It may be possible for an attacker to supply a specially crafted UTF-8 string to the buggy converter, leading to arbitrary code execution. (CAN-2005-0592) A bug was found in the Firefox javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Firefox displays the HTTP authentication prompt. When a user is prompted for authentication, the dialog window is displayed over the active tab, regardless of the tab that caused the pop-up to appear and could trick a user into entering their username and password for a trusted site. (CAN-2005-0584) A bug was found in the way Firefox displays the save file dialog. It is possible for a malicious webserver to spoof the Content-Disposition header, tricking the user into thinking they are downloading a different filetype. (CAN-2005-0586) A bug was found in the way Firefox handles users "down-arrow" through auto completed choices. When an autocomplete choice is selected, the information is copied into the input control, possibly allowing a malicious web site to steal information by tricking a user into arrowing through autocompletion choices. (CAN-2005-0589) Several bugs were found in the way Firefox displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0593) A bug was found in the way Firefox displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) A bug was found in the way Firefox handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) A bug was found in the way Firefox displays the installation confirmation dialog. An attacker could add a long user:pass before the true hostname, tricking a user into thinking they were installing content from a trusted source. (CAN-2005-0590) A bug was found in the way Firefox displays download and security dialogs. An attacker could cover up part of a dialog window tricking the user into clicking "Allow" or "Open", which could potentially lead to arbitrary code execution. (CAN-2005-0591) Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.1 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0255 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0589 CVE-2005-0590 CVE-2005-0591 CVE-2005-0592 CVE-2005-0593 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0233 homograph spoofing CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) CAN-2005-0231 firefox javascript tab security bypass CAN-2005-0255 Memory overwrite in string library CAN-2005-0578 Unsafe /tmp/plugtmp directory exploitable to erase user's files CAN-2005-0584 HTTP auth prompt tab spoofing CAN-2005-0586 Download dialog spoofing using Content-Disposition header CAN-2005-0588 XSLT can include stylesheets from arbitrary hosts CAN-2005-0589 Autocomplete data leak CAN-2005-0590 Install source spoofing with user:pass@host CAN-2005-0591 Spoofing download and security dialogs with overlapping windows CAN-2005-0592 Heap overflow possible in UTF8 to Unicode conversion CAN-2005-0593 SSL "secure site" indicator spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org X11 is the X Window System which provides the core functionality of the Linux GUI desktop. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with libXpm to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. Since the initial release of Red Hat Enterprise Linux 4, a number of issues have been addressed in the X.Org X11 X Window System. This erratum also updates X11R6.8 to the latest stable point release (6.8.2), which includes various stability and reliability fixes including (but not limited to) the following: - The 'radeon' driver has been modified to disable "RENDER" acceleration by default, due to a bug in the implementation which has not yet been isolated. This can be manually re-enabled by using the following option in the device section of the X server config file: Option "RenderAccel" - The 'vmware' video driver is now available on 64-bit AMD64 and compatible systems. - The Intel 'i810' video driver is now available on 64-bit EM64T systems. - Stability fixes in the X Server's PCI handling layer for 64-bit systems, which resolve some issues reported by "vesa" and "nv" driver users. - Support for Hewlett Packard's Itanium ZX2 chipset. - Nvidia "nv" video driver update provides support for some of the newer Nvidia chipsets, as well as many stability and reliability fixes. - Intel i810 video driver stability update, which fixes the widely reported i810/i815 screen refresh issues many have experienced. - Packaging fixes for multilib systems, which permit both 32-bit and 64-bit X11 development environments to be simultaneously installed without file conflicts. In addition to the above highlights, the X.Org X11 6.8.2 release has a large number of additional stability fixes which resolve various other issues reported since the initial release of Red Hat Enterprise Linux 4. All users of X11 should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 font corruption on openoffice.org menus X is unusable on GeForce 6600GT with nForce4 CAN-2005-0605 XPM buffer overflow xorg-x11-6.8.1-23 missing half of Lucida fonts cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles fully qualified domain name (FQDN) lookups. A malicious DNS server could crash Squid by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. This erratum also includes two minor patches to the LDAP helpers. One corrects a slight malformation in ldap search requests (although all known LDAP servers accept the requests). The other adds documentation for the -v option to the ldap helpers. Users of Squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). RHSA-2004:592 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf integer overflows (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Gaim application is a multi-protocol instant messaging client. Two HTML parsing bugs were discovered in Gaim. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0208 and CAN-2005-0473 to these issues. A bug in the way Gaim processes SNAC packets was discovered. It is possible that a remote attacker could send a specially crafted SNAC packet to a Gaim client, causing the client to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0472 to this issue. Additionally, various client crashes, memory leaks, and protocol issues have been resolved. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.1.4 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0208 CVE-2005-0472 CVE-2005-0473 CAN-2005-0472 Gaim DoS issues (CAN-2005-0473) CAN-2005-0208 Gaim HTML parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel. The ipsec-tools package includes: - setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon A bug was found in the way the racoon daemon handled incoming ISAKMP requests. It is possible that an attacker could crash the racoon daemon by sending a specially crafted ISAKMP packet. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0398 to this issue. Additionally, the following issues have been fixed: - racoon mishandled restarts in the presence of stale administration sockets. - on Red Hat Enterprise Linux 4, racoon and setkey did not properly set up forward policies, which prevented tunnels from working. Users of ipsec-tools should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0398 CAN-2005-0398 racoon DoS CAN-2005-0398 racoon DoS racoon unable to start with stale socket /tmp/.racoon ipsec/racoon/setkey does not properly forward packets to vpn peer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman manages electronic mail discussion and e-newsletter lists. A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1177 to this issue. Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html. Important Copyright 2005 Red Hat, Inc. CVE-2004-1177 Mailman doesn't work with courier init script doesn't use /var/lock/subsys mailman logrotate has wrong location for mailmanctl CAN-2004-1177 - mailman cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. Evolution includes a mailer, calendar, contact manager, and communication facility. The tools which make up Evolution are tightly integrated with one another and act as a seamless personal information management tool. A bug was found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. Additionally, these updated packages address the following issues: -- If evolution ran during a GNOME session, the evolution-wombat process did not exit when the user logged out of the desktop. -- For folders marked for Offline Synchronization: if a user moved a message from a Local Folder to an IMAP folder while in Offline mode, the message was not present in either folder after returning to Online mode. This update fixes this problem. Email messages that have been lost this way may still be present in the following path: ~/evolution/&lt;NAME_OF_MAIL_STORE&gt;/ \ &lt;path-to-folder-via-subfolder-directories&gt;/ \ &lt;temporary-uid-of-message&gt; If this bug has affected you it may be possible to recover data by examining the contents of this directory. All users of evolution should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0102 Moving to IMAP folder while offline eats mail CAN-2005-0102 Integer overflow in camel-lock-helper .ics import crashes Evolution Creating a meeting crashes evolution Cannot create all day event in calendar cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU libc packages (known as glibc) contain the standard C libraries used by applications. It was discovered that the use of LD_DEBUG, LD_SHOW_AUXV, and LD_DYNAMIC_WEAK were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1453 to this issue. This erratum addresses the following bugs in the GNU C Library: - fix stack alignment in IA-32 clone - fix double free in globfree - fix fnmatch to avoid jumping based on unitialized memory read - fix fseekpos after ungetc - fix TZ env var handling if the variable ends with + or - - avoid depending on values read from unitialized memory in strtold on certain architectures - fix mapping alignment computation in dl-load - fix i486+ strncat inline assembly - make gethostid/sethostid work on bi-arch platforms - fix ppc64 getcontext/swapcontext - fix pthread_exit if called after pthread_create, but before the created thread actually started - fix return values for tgamma (+-0) - fix handling of very long lines in /etc/hosts - avoid page aliasing of thread stacks on AMD64 - avoid busy loop in malloc if concurrent with fork - allow putenv and setenv in shared library constructors - fix restoring of CCR in swapcontext and getcontext on ppc64 - avoid using sigaction (SIGPIPE, ...) in syslog implementation All users of glibc should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1453 telnet: 0: Name or service not known re_compile_pattern segfault [RHEL3] glibc behavior with long lines in /etc/hosts [RHEL3] libc's getXXent and getXXbyYY are inefficient for large groups x86_64 ecvt() returns "inf" for valid denormalized doubles zdump -v GMT segfaults in x86_64 CAN-2004-1453 Information leak with LD_DEBUG pthread_getspecific gets non-NULL value for new key nscd fails with big group in ldap malloc: top chunk is corrupt w/ MALLOC_CHECK_=3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in Evolution. If a user tries to save a carefully crafted meeting or appointment, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2550 to this issue. Additionally, several other format string bugs were found in Evolution. If a user views a malicious vCard, connects to a malicious LDAP server, or displays a task list from a malicious remote server, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2549 to this issue. Please note that this issue only affects Red Hat Enterprise Linux 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2549 CVE-2005-2550 CAN-2005-2549 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL4) (CAN-2005-2550) CAN-2005-2550 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL3) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A stack based buffer overflow bug was found in HelixPlayer's Synchronized Multimedia Integration Language (SMIL) file processor. An attacker could create a specially crafted SMIL file which would execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0455 to this issue. A buffer overflow bug was found in the way HelixPlayer decodes WAV files. An attacker could create a specially crafted WAV file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0611 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer 1.0.3 which is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0455 CVE-2005-0611 CAN-2005-0455 buffer overflow in helixplayer CAN-2005-0611 .wav overflow in helixplayer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the Mozilla string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Please note that other security issues have been found that affect Mozilla. These other issues have a lower severity, and are therefore planned to be released as additional security updates in the future. Users of Mozilla should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The following security issues were fixed: The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CAN-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CAN-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CAN-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CAN-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CAN-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CAN-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CAN-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CAN-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures/configurations Please note that the fix for CAN-2005-0449 required changing the external symbol linkages (kernel module ABI) for the ip_defrag() and ip_ct_gather_frags() functions. Any third-party module using either of these would also need to be fixed. Important Copyright 2005 Red Hat, Inc. CVE-2004-0075 CVE-2004-0177 CVE-2004-0814 CVE-2004-1058 CVE-2004-1073 CVE-2005-0135 CVE-2005-0137 CVE-2005-0204 CVE-2005-0384 CVE-2005-0403 CVE-2005-0449 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CAN-2004-0177 ext3 infoleak CAN-2004-0075 Vicam USB user/kernel copying oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure CAN-2005-0403 panic in tty init_dev random poolsize sysctl handler integer overflow msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 CAN-2005-0137 ia64 syscall_table DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the fifth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - support for 2-TB partitions on block devices - support for new disk, network, and USB devices - support for clustered APIC mode on AMD64 NUMA systems - netdump support on AMD64, Intel EM64T, Itanium, and ppc64 systems - diskdump support on sym53c8xx and SATA piix/promise adapters - NMI switch support on AMD64 and Intel EM64T systems There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. Some key areas affected by these fixes include the kernel's networking, SATA, TTY, and USB subsystems, as well as the architecture-dependent handling under the ia64, ppc64, and x86_64 directories. Scalability improvements were made primarily in the memory management and file system areas. A flaw in offset handling in the xattr file system code backported to Red Hat Enterprise Linux 3 was fixed. On 64-bit systems, a user who can access an ext3 extended-attribute-enabled file system could cause a denial of service (system crash). This issue is rated as having a moderate security impact (CAN-2005-0757). The following device drivers have been upgraded to new versions: 3c59x ------ LK1.1.18 3w-9xxx ---- 2.24.00.011fw (new in Update 5) 3w-xxxx ---- 1.02.00.037 8139too ---- (upstream 2.4.29) b44 -------- 0.95 cciss ------ v2.4.54.RH1 e100 ------- 3.3.6-k2 e1000 ------ 5.6.10.1-k2 lpfcdfc ---- 1.0.13 (new in Update 5) tg3 -------- 3.22RH Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0757 BLKPG_ADD_PARTITION op of BLKPG ioctl doesn't let you add partitions >= 1TB Getting OOM errors on an unconstrained system CAN-2004-0177 ext3 infoleak Raw device I/O transfer size limited to 32KB. API Breakage: NFS "No locks available" with kernel 2.4.21-15.ELsmp Unexpected error: VFS: Busy inodes after unmount. Self-destruct in 5 seconds. CAN-2004-0075 Vicam USB user/kernel copying Panic is occurring in the I/O completion interrupt handling for the character interface driver (sg). Add the 3w-9xxx module (required for the 9000 series 3ware cards) ICH6 SATA support Strange output of /proc/mtrr Request to include EMC Celerra and iSCSI devices to the black list oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer O_DIRECT doesn't work on LVM devices NFS intr flag prevents core dumps LTC-8859: softdog.o need to be included into RHEL distributions x86 compatibility mode apps using signals crash under EM64T POSIX Asynchronous IO support is unstable Kernel Panic: Unable to satisfy kernel paging request... when starting ServerVantage. [RHEL3][IA32E][X86_64]Wrong FPU IP and DP in the SIGFPE signal context CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure 3c59x: eth0: Transmit error, Tx status register d0. (10Mb hub) kernel crash, fatal exception, accessing /proc, EXT3-fs error Ia32e + Intel SATA 82801EB + kernel 2.4.21-20EL; unable to mount root partition. Panics while backing up LVM snapshots RHEL3U3 panics on boot for HP rx5670 NFS ESTALES returned on open [IT50092] When copying rootfs to /mnt/sdc/, rsync accessed /proc/kcore and kernel crashed NFS direct reads don't flush dirty cached pages RHEL3U2/U3 x86-64 - /proc/mtrr reported incorrectly ps shows bad PPID worktodo does not support NFS aio tg3 fiber auto-negotiation Kernel hang when cat'ting file on intr NFS mount MCA in tulip on ifconfig down/reboot [RHEL3-U5][Diskdump] Stalls before printing "CPU frozen" usb: raced timeout errors when using usb/serial adapter Unkillable processes under 64bit Linux which use Kernel Asynchronous I/O [RHEL3-U4][Diskdump] Diskdump failed with serial console enabled [RHEL3-U4][Diskdump] Segmentation Fault after cliloop [RHEL3-U5][Diskdump] All CPUs are displayed in CPU frozen em64t/ia32e kernel panic: 'interrupt handler - not syncing' during heavy network I/O lx-choptp19 crashed running 2.4.21-20.EL.BZ131027.hotfixhugemem stack overflows can occur on x86_64 under stack pressure when softirq's are handled Kernel wrongly complains about application bug when loading modules [RHEL3][PATCH] SIOCGHWADDR does not clear buffer for ppp connections RHEL3 PATCH dev.c: clear SIOCGIFHWADDR buffer if !dev->addr_len e100 and e1000 drivers should return EINVAL when ethtool tries to set rx-mini or rx-jumbo nptl futex_wait fix [PATCH] memory leak in ipv6 ip6_{push,flush}_pending_frames() FAT32 file system zero length files corruption after remount ATAPI-CDROM not accessible with kernel options ide-scsi and swiotlb Infinite loop when syncing over automounted NFS bonding with mii monitoring does not work with realtek card [PATCH] video1394 fixes sata_sx4 4GB problem Unable to handle kernel NULL pointer dereference at virtual address 00000004 NIC BCM4401 on Dell Inspiron 5100 broken kernel can not register scsi LUNs above 7 for mylexFFx2 FC RAID controller CAN-2005-0403 panic in tty init_dev U4 kernel sound broken on certain AC 97 systems Fibre Channel tape speed regression (qla2200) random poolsize sysctl handler integer overflow Anaconda installer partion error large RAID volume kernel panic in get_signal_to_deliver panic_on_oops hook removed on ia64 by diskdump patch tar crashes DELL server every 4th day. mmap() system call can return Nil recv returns EAGAIN instead of EINTR when interrupted ext2/ext3 w/ 1024 blocksize eats all memory rsync creating truncated files on fat32 filesystem Race condition in md subsystem causes panic laus incorrectly truncates path string when predicate filter is used msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker Running lshw causes MCA on Olympia rx8620 CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 sata_sil missing PCI IDs for ATI SATA controller Repeated Kernel Panics while using LVM Snapshot CAN-2005-0137 ia64 syscall_table DoS SIGCHLD set to SIG_IGN but calls wait(). aggressively clean bhs sata_promise in 2.4.21-27.0.4.EL doesn't support Promise sataII 150 tx4 yet cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libexif package contains the EXIF library. Applications use this library to parse EXIF image files. A bug was found in the way libexif parses EXIF tags. An attacker could create a carefully crafted EXIF image file which could cause image viewers linked against libexif to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0664 to this issue. Users of libexif should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0664 CAN-2005-0664 buffer overflow in libexif cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. A buffer overflow flaw was discovered in the Etheric dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0704 to this issue. The GPRS-LLC dissector could crash if the "ignore cipher bit" option was set. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0705 to this issue. A buffer overflow flaw was discovered in the 3GPP2 A11 dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0699 to this issue. A buffer overflow flaw was discovered in the IAPP dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0739 to this issue. Users of ethereal should upgrade to these updated packages, which contain version 0.10.10 and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0699 CVE-2005-0704 CVE-2005-0705 CVE-2005-0739 CVE-2005-0765 CVE-2005-0766 CAN-2005-0699 Multiple ethereal issues (CAN-2005-0704 CAN-2005-0705) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs package provides libraries for the K Desktop Environment. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0396 CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System which can read and write multiple image formats. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. Additionally, a bug was fixed which caused ImageMagick(TM) to occasionally segfault when writing TIFF images to standard output. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0397 Segmentation fault on conversion to TIFF (possible libtiff bug) CAN-2005-0397 ImageMagick format string flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1380 to this issue. A bug was found in the way Mozilla allowed plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0232 to this issue. A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0147 to this issue. A bug was found in the way Mozilla handles certain start tags followed by a NULL character. A malicious web page could cause Mozilla to crash when viewed by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1613 to this issue. A bug was found in the way Mozilla sets file permissions when installing XPI packages. It is possible for an XPI package to install some files world readable or writable, allowing a malicious local user to steal information or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to this issue. A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0141 to this issue. A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0144 to this issue. Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.4.4 and additional backported patches to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-0906 CVE-2004-1380 CVE-2004-1613 CVE-2005-0141 CVE-2005-0144 CVE-2005-0147 CVE-2005-0149 CVE-2005-0232 CVE-2005-0399 CAN-2005-0141 Link opened in new tab can load a local file CAN-2005-0144 Secure site lock can be spoofed with view-source: CAN-2004-1380 Input stealing from other tabs (CAN-2004-1381) CAN-2005-0147 Browser responds to proxy auth request from non-proxy server (ssl/https) CAN-2005-0149 Mail responds to cookie requests CAN-2005-0399 mozilla GIF buffer overflow CAN-2004-1613 Mozilla start tag NULL character DoS CAN-2004-0906 Mozilla XPI installer insecure file creation CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs package provides libraries for the K Desktop Environment. The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. A flaw in the dcopidlng script was discovered. The dcopidlng script would create temporary files with predictable filenames which could allow local users to overwrite arbitrary files via a symlink attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0365 to this issue. Users of KDE should upgrade to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0237 CVE-2005-0365 CVE-2005-0396 CAN-2005-0237 homograph spoofing CAN-2005-0365 dcopidlng insecure temporary file usage CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3: - telnetd could loop on an error in the child side process - There was a race condition in telnetd on a wtmp lock on some occasions - The command line in the process table was sometimes too long and caused bad output from the ps command - The 8-bit binary option was not working Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 Too long /proc/X/cmdline: bad ps output when piped to less/more telnetd cleanup() race condition with syslog in signal handler [PATCH] telnetd loops on child IO error [RHEL3] telnetd cleanup() race condition with syslog in signal handler CAN-2005-0469 slc_add_reply() Buffer Overflow Vulnerability CAN-2005-0468 env_opt_add() Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 CAN-2005-0469 Multiple Telnet Client issues (CAN-2005-0468) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. The updated XFree86 packages also address the following minor issues: - Updated XFree86-4.3.0-keyboard-disable-ioport-access-v3.patch to make warning messages less alarmist. - Backported XFree86-4.3.0-libX11-stack-overflow.patch from xorg-x11-6.8.1 packaging to fix stack overflow in libX11, which was discovered by new security features of gcc4. Users of XFree86 should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 libX11 overflows it's own stack CAN-2005-0605 XPM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0638 xloadimage crashes with some TIFF images bad source code CAN-2005-0638 xloadimage multiple issues. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0709 and CAN-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0709 CVE-2005-0710 CVE-2005-0711 CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. (CAN-2005-0147) A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. (CAN-2004-1380) A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. (CAN-2005-0149) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Mozilla saves temporary files. Temporary files are saved with world readable permissions, which could allow a local malicious user to view potentially sensitive data. (CAN-2005-0142) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. (CAN-2005-0141) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. (CAN-2005-0144) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can display the secure site icon by loading a binary file from a secured site. (CAN-2005-0143) A bug was found in the way Mozilla displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.6 to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1380 CVE-2005-0141 CVE-2005-0142 CVE-2005-0143 CVE-2005-0144 CVE-2005-0146 CVE-2005-0149 CVE-2005-0399 CVE-2005-0401 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0141 multiple mozilla issues CAN-2004-1316 CAN-2005-0142 CAN-2005-0143 CAN-2005-0144 CAN-2004-1380 CAN-2004-1381 CAN-2005-0146 CAN-2005-0147 CAN-2005-0149 CAN-2005-0233 homograph spoofing CAN-2005-0399 mozilla GIF buffer overflow CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Firefox processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0401 to this issue. A bug was found in the way Firefox bookmarks content to the sidebar. If a user can be tricked into bookmarking a malicious web page into the sidebar panel, that page could execute arbitrary programs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0402 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0401 CVE-2005-0402 CAN-2005-0399 firefox GIF buffer overflow CAN-2005-0402 arbitrary code execution via sidebar CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the Thunderbird string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Users of Thunderbird are advised to upgrade to this updated package which contains Thunderbird version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library CAN-2005-0399 thunderbird GIF buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0490 CAN-2005-0490 Multiple stack based buffer overflows in curl cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gdk-pixbuf are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - Files with a size of 2 GB and larger were not entered into the slocate database. - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems). - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 Files > 2 GB are not entered into slocate data base slocate collects .automount files over nfs CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems.) - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. - The default configuration excluded /mnt/floppy, but not /media. - The default configuration did not exclude nfs4 file systems. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 slocate collects .automount files over nfs Incorrect path in /etc/updatedb.conf updatedb indexes nfs4 filesystems CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. A number of security flaws have been found affecting libraries used internally within teTeX. An attacker who has the ability to trick a user into processing a malicious file with teTeX could cause teTeX to crash or possibly execute arbitrary code. A number of integer overflow bugs that affect Xpdf were discovered. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0888 and CAN-2004-1125 to these issues. A number of integer overflow bugs that affect libtiff were discovered. The teTeX package contains an internal copy of libtiff used for parsing TIFF image files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0803, CAN-2004-0804 and CAN-2004-0886 to these issues. Also latex2html is added to package tetex-latex for 64bit platforms. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0804 CVE-2004-0886 CVE-2004-0888 CVE-2004-1125 CAN-2004-0888 xpdf integer overflows CAN-2004-0803 multiple issues in libtiff (CAN-2004-0804 CAN-2004-0886) tetex-latex package missing latex2html CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0758 CVE-2005-0988 CVE-2005-1228 CAN-2005-0758 zgrep has security issue in sed usage CAN-2005-0988 Race condition in gzip CAN-2005-1228 directory traversal bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. An integer overflow flaw was found in PCRE, a Perl-compatible regular expression library included within Exim. A local user could create a maliciously crafted regular expression in such as way that they could gain the privileges of the 'exim' user. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2491 to this issue. These erratum packages change Exim to use the system PCRE library instead of the internal one. These packages also fix a minor flaw where the Exim Monitor was incorrectly computing free space on very large file systems. Users should upgrade to these erratum packages and also ensure they have updated the system PCRE library, for which erratum packages are available seperately in RHSA-2005:761 Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2491 CAN-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to this issue. Additionally, this update addresses the following issues: o Fixed improper limits on filename and command line lengths o Improved PAM access control conforming to EAL certification requirements o Improved reliability when running in a chroot environment o Mail recipient name checking disabled by default, can be re-enabled o Added '-p' "permit all crontabs" option to disable crontab mode checking All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1038 cron fails to run user jobs and gives vague error message CAN-2005-1038 vixie-cron information leak vixie-cron updates for new audit system Cron no longer allows read-only crontabs, enforces write access cron fails with pam_access crontab truncates file names greater than 100 characters. CAN-2005-1038 vixie-cron information leak [PATCH] List corruption when items are removed from /etc/cron.d cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. A buffer overflow bug was found in the way gaim escapes HTML. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0965 to this issue. A bug was found in several of gaim's IRC processing functions. These functions fail to properly remove various markup tags within an IRC message. It is possible that a remote attacker could send a specially crafted message to a Gaim client connected to an IRC server, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0966 to this issue. A bug was found in gaim's Jabber message parser. It is possible for a remote Jabber user to send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0967 to this issue. In addition to these denial of service issues, multiple minor upstream bugfixes are included in this update. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.2.1 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0965 CVE-2005-0966 CVE-2005-0967 CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966) CAN-2005-0967 jabber DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CAN-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CAN-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CAN-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CAN-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CAN-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CAN-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CAN-2005-0529, CAN-2005-0530, CAN-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CAN-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CAN-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CAN-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that Important Copyright 2005 Red Hat, Inc. CVE-2005-0135 CVE-2005-0207 CVE-2005-0210 CVE-2005-0384 CVE-2005-0400 CVE-2005-0449 CVE-2005-0529 CVE-2005-0530 CVE-2005-0531 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CVE-2005-0767 CVE-2005-0815 CVE-2005-0839 CVE-2005-0867 CVE-2005-0977 CVE-2005-1041 CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0135 ia64 local DoS CAN-2005-0207 nfs client O_DIRECT oops CAN-2005-0529 Sign handling issues on v2.6 (CAN-2005-0530 CAN-2005-0531) CAN-2005-0209 netfilter SKB problem CAN-2005-0384 pppd remote DoS CAN-2005-0736 epoll overflow CAN-2005-0767 drm race in radeon CAN-2005-0750 bluetooth security flaw CAN-2005-0400 ext2 mkdir() directory entry random kernel memory leak CAN-2005-0815 isofs range checking flaws CAN-2005-0749 load_elf_library possible DoS CAN-2005-0839 N_MOUSE line discipline flaw CAN-2005-0977 tmpfs truncate bug CAN-2005-0867 sysfs signedness problem CAN-2005-1041 crash while reading /proc/net/route cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet which will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc which can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally the following bugs have been fixed: - snmpwalk no longer hangs when a non-existant pid is listed. - snmpd no longer segfaults due to incorrect handling of lmSensors. - an incorrect assignment leading to invalid values in ASN mibs has been fixed. - on systems running a 64-bit kernel, the values in /proc/net/dev no longer become too large to fit in a 32-bit object. - the net-snmp-devel packages correctly depend on elfutils-libelf-devel. - large file systems are correctly handled - snmp daemon now reports gigabit Ethernet speeds correctly - fixed consistency between IP adresses and hostnames in configuration file All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2177 CVE-2005-1740 CVE-2005-4837 net-snmp-devel should depend on elfutils-libelf-devel snmpd.conf hostname vs. IP inconsistancy 64bit network counters peg instead of wrapping CAN-2005-2177 net-snmp denial of service CAN-2005-1740 net-snmp insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0941 CAN-2005-0941 openoffice.org heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4. Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious 'wc' command on a victim's machine, or trick a victim into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1773 to this issue. A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue. All users of sharutils should upgrade to this updated package, which includes backported fixes to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1772 CVE-2004-1773 CVE-2005-0990 CAN-2004-1772 buffer overflow with -o option CAN-2004-1773 Buffer overflows in unshar CAN-2005-0990 insecure temp file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1111 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc 511278 - needs fix for RHEL 4 on cpio bugzilla 105617 CVE-2005-1111 Race condition in cpio cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 NASM is an 80x86 assembler. Two stack based buffer overflow bugs have been found in nasm. An attacker could create an ASM file in such a way that when compiled by a victim, could execute arbitrary code on their machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1287 and CAN-2005-1194 to these issues. All users of nasm are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1287 CVE-2005-1194 CAN-2004-1287 Bernstein class reports buffer overflow in nasm CAN-2005-1194 Buffer overflow in the ieee_putascii() function cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Vladimir V. Perepelitsa discovered a bug in the way Firefox handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Omar Khan discovered a bug in the way Firefox processes the PLUGINSPAGE tag. It is possible for a malicious web page to trick a user into pressing the "manual install" button for an unknown plugin leading to arbitrary javascript code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0752 to this issue. Doron Rosenberg discovered a bug in the way Firefox displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1153 to this issue. A bug was found in the way Firefox handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1154 to this issue. Michael Krax discovered a bug in the way Firefox handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1155 to this issue. Michael Krax discovered a bug in the way Firefox installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and steal sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1156 and CAN-2005-1157 to these issues. Kohei Yoshino discovered a bug in the way Firefox opens links in its sidebar. A malicious web page could construct a link in such a way that, when clicked on, could execute arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1158 to this issue. A bug was found in the way Firefox validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1159 to this issue. A bug was found in the way the Firefox privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1160 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.3 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0752 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1158 CVE-2005-1159 CVE-2005-1160 CAN-2005-0752 Multiple firefox issues. (CAN-2005-0989) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0143 CAN-2005-0593) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CAN-2005-0142 CAN-2005-0578) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CAN-2005-0586 CAN-2005-0591 CAN-2005-0585 CAN-2005-0590 CAN-2005-0584) A bug was found in the Mozilla javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed, which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CAN-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) Several bugs were found in the Mozilla javascript engine. A malicious web page could leverage these issues to execute javascript with elevated privileges or steal sensitive information. (CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0142 CVE-2005-0143 CVE-2005-0146 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0401 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0590 CVE-2005-0591 CVE-2005-0593 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0142 Opened attachments are temporarily saved world-readable CAN-2005-0143 Secure site lock can be spoofed with a binary download CAN-2005-0146 Synthetic middle-click event can steal clipboard contents CAN-2005-0233 homograph spoofing CAN-2005-0401 Drag and drop loading of privileged XUL CAN-2005-0578 Mozilla issues (CAN-2005-0232 CAN-2005-0527 CAN-2005-0231 CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0588 CAN-2005-0590 CAN-2005-0591 CAN-2005-0593) CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Vladimir V. Perepelitsa discovered a bug in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Doron Rosenberg discovered a bug in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. (CAN-2005-1154) Michael Krax discovered a bug in the way Mozilla handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. (CAN-2005-1155) Michael Krax discovered a bug in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) A bug was found in the way Mozilla validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. (CAN-2005-1159) A bug was found in the way the Mozilla privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. (CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 CVS (Concurrent Version System) is a version control system. A buffer overflow bug was found in the way the CVS client processes version and author information. If a user can be tricked into connecting to a malicious CVS server, an attacker could execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0753 to this issue. Additionally, a bug was found in which CVS freed an invalid pointer. However, this issue does not appear to be exploitable. All users of cvs should upgrade to this updated package, which includes a backported patch to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0753 CAN-2005-0753 multiple issues in cvs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow bug was found in the way HelixPlayer processes RAM files. An attacker could create a specially crafted RAM file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0755 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.4 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0755 CAN-2005-0755 HelixPlayer buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 KDE is a graphical desktop environment for the X Window System. Konqueror is the file manager for the K Desktop Environment. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1046 to this issue. All users of kdelibs should upgrade to these updated packages, which contain a backported security patch to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1046 CAN-2005-1046 PCX file integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet that will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc that can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally, the following bugs have been fixed: - The lmSensors are correctly recognized, snmp deamon no longer segfaults - The larger swap partition sizes are correctly reported - Querying hrSWInstalledLastUpdateTime no longer crashes the snmp deamon - Fixed error building ASN.1 representation - The 64-bit network counters correctly wrap - Large file systems are correctly handled - Snmptrapd initscript correctly reads options from its configuration file /etc/snmp/snmptrapd.options - Snmp deamon no longer crashes when restarted using the agentX protocol - snmp daemon now reports gigabit Ethernet speeds correctly - MAC adresses are shown when requested instead of IP adresses All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1740 CVE-2005-2177 CVE-2005-4837 snmpd dies when getting enterprises.ucdavis.memory.memTotalSwap.0 snmpd exits without a diagnostic: SIGSEGV 64bit network counters peg instead of wrapping /etc/init.d/snmptrapd wrong order in setting variables... x86_64: net-snmp dies when querying hrSWInstalledLastUpdateTime CAN-2005-1740 net-snmp insecure temporary file usage CAN-2005-2177 net-snmp denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow bugs were found in the way X.org parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2495 to this issue. Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2495 CAN-2005-2495 multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is a GNOME-based collection of personal information management (PIM) tools. A bug was found in the way Evolution displays mail messages. It is possible that an attacker could create a specially crafted mail message that when opened by a victim causes Evolution to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0806 to this issue. A bug was also found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. All users of evolution should upgrade to these updated packages, which include backported fixes to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0102 CVE-2005-0806 CAN-2005-0102 Integer overflow in camel-lock-helper CAN-2005-0806 DoS from mail message cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - The security fixes in RHSA-2004-687 to the "unserializer" code introduced some performance issues. - In the gd extension, the "imagecopymerge" function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 PHP pages slow, HTTPD eating cpu php curl open_basedir bypass make PHP oci8 driver support Oracle Instant Client RPM PHP GD ImageCopyMerge broken CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default "safe mode" setting is now "disabled" rather than "enabled"; to match the default /etc/php.ini setting - in the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 Error in configure prevents php SRPM rebuild on x86_64 w/ mssql module CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0546 CAN-2005-0546 multiple buffer overflows in cyrus-imapd cpe:/o:redhat:enterprise_linux