Fixlet Site - PatchesforRedHatEnterpriseLinux Current Version: 179 Published: Thu, 08 Mar 2007 02:10:47 GMT *************************************************************** Title: RHBA-2006:0744 - Java-1.4.2-Ibm Bug Fix Update - Red Hat Enterprise 4.0 (Superseded) Severity: Fixlet ID: 200674401 Fixlet Link: https://rhn.redhat.com/errata/RHBA-2006-0744.html Fixlet Description: Note: RHSA-2007:0062 supersedes this errata. Updated java-1.4.2-ibm packages that comprise IBM's SR6 SDK release are now available. The following packages comprise IBM's 1.4.2 SR6 Java release: java-1.4.2-ibm java-1.4.2-ibm-devel java-1.4.2-ibm-src java-1.4.2-ibm-demo java-1.4.2-ibm-plugin java-1.4.2-ibm-jdbc java-1.4.2-ibm-javacomm These packages include the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. The Java 2 Runtime Environment (JRE) consists of the Java virtual machine, the Java platform core classes and supporting files, and includes a Web browser plug-in for running Java applets. It is the runtime section of the Java 2 SDK, but without the development tools such as compilers and debuggers. The Java 2 Software Development Kit (SDK) is a development environment for building applications, applets, and components that can be deployed on the Java platform. The Java 2 SDK software includes tools useful for developing and testing programs written in the Java programming language. The Java 2 SDK software also includes a JDBC/ODBC bridge for Java applications that need to communicate with a database. These updated packages include IBM's SR6 SDK release. They fix a bug in IBM's plugin that required workarounds in previous releases. All users of java-1.4.2-ibm should upgrade to these updated packages, which resolve these issues. *************************************************************** Title: RHSA-2007:0008 - Dbus Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200700801 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0008.html Fixlet Description: Updated dbus packages that fix a security flaw in the way D-BUS processes certain messages. It is possible for a local unprivileged D-BUS process to disrupt the ability of another D-BUS process to receive messages. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0008 - Dependencies Needed - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200700805 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0008.html Fixlet Description: Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 4. However, this update requires that the package "audit-libs" be at least version "1.0.3-6.EL4". *************************************************************** Title: RHSA-2007:0014 - Kernel Security Update - Red Hat Enterprise 4.0 (Superseded) Severity: Important Fixlet ID: 200701401 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0014.html Fixlet Description: Note: RHSA-2007:0085 supersedes this errata. Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the get_fdb_entries function of the network bridging support that allowed a local user to cause a denial of service (crash) or allow a potential privilege escalation (CVE-2006-5751, Important) * an information leak in the _block_prepare_write function that allowed a local user to read kernel memory (CVE-2006-4813, Important) * an information leak in the copy_from_user() implementation on s390 and s390x platforms that allowed a local user to read kernel memory (CVE-2006-5174, Important) * a flaw in the handling of /proc/net/ip6_flowlabel that allowed a local user to cause a denial of service (infinite loop) (CVE-2006-5619, Important) * a flaw in the AIO handling that allowed a local user to cause a denial of service (panic) (CVE-2006-5754, Important) * a race condition in the mincore system core that allowed a local user to cause a denial of service (system hang) (CVE-2006-4814, Moderate) * a flaw in the ELF handling on ia64 and sparc architectures which triggered a cross-region memory mapping and allowed a local user to cause a denial of service (CVE-2006-4538, Moderate) * a flaw in the dev_queue_xmit function of the network subsystem that allowed a local user to cause a denial of service (data corruption) (CVE-2006-6535, Moderate) * a flaw in the handling of CAPI messages over Bluetooth that allowed a remote system to cause a denial of service or potential code execution. This flaw is only exploitable if a privileged user establishes a connection to a malicious remote device (CVE-2006-6106, Moderate) * a flaw in the listxattr system call that allowed a local user to cause a denial of service (data corruption) or potential privilege escalation. To successfully exploit this flaw the existence of a bad inode is required first (CVE-2006-5753, Moderate) * a flaw in the __find_get_block_slow function that allowed a local privileged user to cause a denial of service (CVE-2006-5757, Low) * various flaws in the supported filesystems that allowed a local privileged user to cause a denial of service (CVE-2006-5823, CVE-2006-6053, CVE-2006-6054, CVE-2006-6056, Low) In addition to the security issues described above, fixes for the following bugs were included: * initialization error of the tg3 driver with some BCM5703x network card * a memory leak in the audit subsystem * x86_64 nmi watchdog timeout is too short * ext2/3 directory reads fail intermittently Red Hat would like to thank Dmitriy Monakhov and Kostantin Khorenko for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. *************************************************************** Title: RHSA-2007:0015 - Imagemagick Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200701503 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0015.html Fixlet Description: Updated ImageMagick packages that correct several security flaws in the way ImageMagick decodes DCM, PALM, and SGI graphic files. An attacker may be able to execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted image file. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0018 - Fetchmail Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200701803 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0018.html Fixlet Description: Updated fetchmail packages that fix two security issues are now available for a denial of service flaw that was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0022 - Squirrelmail Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200702203 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0022.html Fixlet Description: A new squirrelmail package that fixes security issues is now available. Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct these issues. Notes: - After installing this update, users are advised to restart their httpd service to ensure that the updated version functions correctly. - config. php should NOT be modified, please modify config_local. php instead. - Known Bug: The configuration generator may potentially produce bad options that interfere with the operation of this application. Applying specific config changes to config_local. php manually is recommended. *************************************************************** Title: RHSA-2007:0044 - Bind Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200704403 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0044.html Fixlet Description: Updated bind packages that fix a security issue and a bug are now available. Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues. *************************************************************** Title: RHSA-2007:0060 - Samba Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200706003 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0060.html Fixlet Description: Updated samba packages that fix a denial of service vulnerability are now available. Users of Samba should update to these packages, which contain a backported patch to correct this issue. *************************************************************** Title: RHSA-2007:0062 - Java-1.4.2-Ibm Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200706203 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0062.html Fixlet Description: Updated java-1.4.2-ibm packages to correct several security issues are now available for Red Hat Enterprise Linux 3 and 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team. IBM's 1.4.2 SR7 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A number of security issues were found: Vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these vulnerabilities to access data from other applets. (CVE-2006-6736, CVE-2006-6737) Serialization flaws were discovered in the Java Runtime Environment. An untrusted applet or application could use these flaws to elevate its privileges. (CVE-2006-6745) Buffer overflow vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these flaws to elevate its privileges, possibly reading and writing local files or executing local applications. (CVE-2006-6731) Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. (CVE-2006-4339) All users of java-1.4.2-ibm should upgrade to these updated packages, which contain IBM's 1.4.2 SR7 Java release which resolves these issues. *************************************************************** Title: RHSA-2007:0064 - PostgreSQL Security Update - Red Hat Enterprise 4.0 Severity: Moderate Fixlet ID: 200706403 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0064.html Fixlet Description: Updated postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 3 and 4. Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 7.4.16 or 7.3.18, which correct these issues. *************************************************************** Title: RHSA-2007:0073 - Java-1.5.0-Ibm Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200707301 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0073.html Fixlet Description: java-1.5.0-ibm packages that correct several security issues are available for Red Hat Enterprise Linux 4 Extras. *************************************************************** Title: RHSA-2007:0074 - Spamassassin Security Update - Red Hat Enterprise 4.0 Severity: Important Fixlet ID: 200707401 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0074.html Fixlet Description: Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. This is an upgrade from SpamAssassin version 3.0.6 to 3.1.8, which contains many bug fixes and spam detection enhancements. Further details are available in the SpamAssassin 3.1 changelog and upgrade guide. *************************************************************** Title: RHSA-2007:0076 - PHP Security Update - Red Hat Enterprise 4.0 Severity: Important Fixlet ID: 200707603 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0076.html Fixlet Description: Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. *************************************************************** Title: RHSA-2007:0076 - Dependencies Needed - Red Hat Enterprise 4.0 Severity: Important Fixlet ID: 200707606 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0076.html Fixlet Description: Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4, but a required dependency is missing when package "php-mysql" is installed. You need at least version "4.1.20-1" of "mysql" to install these updates. *************************************************************** Title: RHSA-2007:0077 - Seamonkey Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200707703 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0077.html Fixlet Description: Updated seamonkey packages that fix several security bugs are now available that address several flaws that were found in the way SeaMonkey processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in SeaMonkey crashing or executing arbitrary code as the user running SeaMonkey. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0078 - Thunderbird Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200707801 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0078.html Fixlet Description: Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0079 - Firefox Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200707901 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0079.html Fixlet Description: An updated firefox package that fixes several security flaws were found in the way Firefox processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in Firefox crashing or executing arbitrary code as the user running Firefox. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0085 - Kernel Security Update - Red Hat Enterprise 4.0 Severity: Important Fixlet ID: 200708501 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0085.html Fixlet Description: Updated kernel packages that fix two security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0085 - Dependenceis Needed - Red Hat Enterprise 4.0 Severity: Important Fixlet ID: 200708504 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0085.html Fixlet Description: Updated kernel packages that fix two security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. However, this update requires that the package "mkinitrd" be at least version "4.2.1.6-1". Please see patch page for more detailed information. *************************************************************** Title: RHSA-2007:0086 - Gnomemeeting Security Update - Red Hat Enterprise 4.0 Severity: Critical Fixlet ID: 200708603 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0086.html Fixlet Description: Updated gnomemeeting packages that fix a security issue are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. GnomeMeeting is a tool to communicate with video and audio over the Internet. A format string flaw was found in the way GnomeMeeting processes certain messages. If a user is running GnomeMeeting, a remote attacker who can connect to GnomeMeeting could trigger this flaw and potentially execute arbitrary code with the privileges of the user. (CVE-2007-1007) Users of GnomeMeeting should upgrade to these updated packages which contain a backported patch to correct this issue. *************************************************************** Title: RHSA-2007:0106 - Gnupg Security Update - Red Hat Enterprise 4.0 (ES/WS) Severity: Important Fixlet ID: 200710603 Fixlet Link: https://rhn.redhat.com/errata/RHSA-2007-0106.html Fixlet Description: An updated GnuPG package that fixes a security issue is now available. Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have produced a patch to protect against messages with multiple plaintext packets. Users should update to these erratum packages which contain the backported patch for this issue.