pax_global_header00006660000000000000000000000064131440422230014505gustar00rootroot0000000000000052 comment=0a0be1dd9d0855b50be0be5a10ad3085382b6d59 golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/000077500000000000000000000000001314404222300230035ustar00rootroot00000000000000golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/.gitignore000066400000000000000000000004511314404222300247730ustar00rootroot00000000000000# Compiled Object files, Static and Dynamic libs (Shared Objects) *.o *.a *.so # Folders _obj _test # Architecture specific extensions/prefixes *.[568vq] [568vq].out *.cgo1.go *.cgo2.c _cgo_defun.c _cgo_gotypes.go _cgo_export.* _testmain.go *.exe *.test *.prof cisco-oval main goval-parser golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/LICENSE000066400000000000000000000024471314404222300240170ustar00rootroot00000000000000BSD 2-Clause License Copyright (c) 2017, Yasunari Momoi All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/README.md000066400000000000000000000000521314404222300242570ustar00rootroot00000000000000# goval-parser OVAL parser written in go. golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/example.go000066400000000000000000000014631314404222300247710ustar00rootroot00000000000000package main import ( "encoding/xml" "fmt" "io/ioutil" "os" "github.com/k0kubun/pp" "github.com/ymomoi/goval-parser/oval" ) func main() { if len(os.Args) < 2 { fmt.Printf("usage: %s file1 file2 ...\n", os.Args[0]) return } for _, f := range os.Args[1:len(os.Args)] { fmt.Print(f + " : ") oval, err := readOval(f) if err != nil { fmt.Println(err.Error()) } pp.Println(oval) pp.Println(oval.Definitions.Definitions[0].Debian) } } // readOval : Read OVAL definitions from file func readOval(file string) (*oval.Root, error) { str, err := ioutil.ReadFile(file) if err != nil { return nil, fmt.Errorf("Can't open file: %s", err) } oval := &oval.Root{} err = xml.Unmarshal([]byte(str), oval) if err != nil { return nil, fmt.Errorf("Can't parse XML: %s", err) } return oval, nil } golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/glide.yaml000066400000000000000000000001431314404222300247510ustar00rootroot00000000000000package: github.com/ymomoi/goval-parser import: - package: github.com/k0kubun/pp version: ^2.3.0 golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/oval/000077500000000000000000000000001314404222300237445ustar00rootroot00000000000000golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/oval/types.go000066400000000000000000000150611314404222300254420ustar00rootroot00000000000000package oval import ( "encoding/xml" ) // Root : root object type Root struct { XMLName xml.Name `xml:"oval_definitions"` Generator Generator `xml:"generator"` Definitions Definitions `xml:"definitions"` Tests Tests `xml:"tests"` Objects Objects `xml:"objects"` States States `xml:"states"` } // Generator : >generator type Generator struct { XMLName xml.Name `xml:"generator"` ProductName string `xml:"product_name"` ProductVersion string `xml:"product_version"` SchemaVersion string `xml:"schema_version"` Timestamp string `xml:"timestamp"` } // Definitions : >definitions type Definitions struct { XMLName xml.Name `xml:"definitions"` Definitions []Definition `xml:"definition"` } // Definition : >definitions>definition type Definition struct { XMLName xml.Name `xml:"definition"` ID string `xml:"id,attr"` Class string `xml:"class,attr"` Title string `xml:"metadata>title"` Affecteds []Affected `xml:"metadata>affected"` References []Reference `xml:"metadata>reference"` Description string `xml:"metadata>description"` Advisory Advisory `xml:"metadata>advisory"` // RedHat, Oracle, Ubuntu Debian Debian `xml:"metadata>debian"` // Debian Criteria Criteria `xml:"criteria"` } // Criteria : >definitions>definition>criteria type Criteria struct { XMLName xml.Name `xml:"criteria"` Operator string `xml:"operator,attr"` Criterias []Criteria `xml:"criteria"` Criterions []Criterion `xml:"criterion"` } // Criterion : >definitions>definition>criteria>*>criterion type Criterion struct { XMLName xml.Name `xml:"criterion"` Negate bool `xml:"negate,attr"` TestRef string `xml:"test_ref,attr"` Comment string `xml:"comment,attr"` } // Affected : >definitions>definition>metadata>affected type Affected struct { XMLName xml.Name `xml:"affected"` Family string `xml:"family,attr"` Platforms []string `xml:"platform"` } // Reference : >definitions>definition>metadata>reference type Reference struct { XMLName xml.Name `xml:"reference"` Source string `xml:"source,attr"` RefID string `xml:"ref_id,attr"` RefURL string `xml:"ref_url,attr"` } // Advisory : >definitions>definition>metadata>advisory // RedHat and Ubuntu OVAL type Advisory struct { XMLName xml.Name `xml:"advisory"` Severity string `xml:"severity"` Cves []Cve `xml:"cve"` Bugzillas []Bugzilla `xml:"bugzilla"` AffectedCPEList []string `xml:"affected_cpe_list>cpe"` Refs []Ref `xml:"ref"` // Ubuntu Only Bugs []Bug `xml:"bug"` // Ubuntu Only Issued struct { Date string `xml:"date,attr"` } `xml:"issued"` Updated struct { Date string `xml:"date,attr"` } `xml:"updated"` } // Ref : >definitions>definition>metadata>advisory>ref // Ubuntu OVAL type Ref struct { XMLName xml.Name `xml:"ref"` URL string `xml:",chardata"` } // Bug : >definitions>definition>metadata>advisory>bug // Ubuntu OVAL type Bug struct { XMLName xml.Name `xml:"bug"` URL string `xml:",chardata"` } // Cve : >definitions>definition>metadata>advisory>cve // RedHat OVAL type Cve struct { XMLName xml.Name `xml:"cve"` CveID string `xml:",chardata"` Cvss2 string `xml:"cvss2,attr"` Cvss3 string `xml:"cvss3,attr"` Cwe string `xml:"cwe,attr"` Impact string `xml:"impact,attr"` Href string `xml:"href,attr"` Public string `xml:"public,attr"` } // Bugzilla : >definitions>definition>metadata>advisory>bugzilla // RedHat OVAL type Bugzilla struct { XMLName xml.Name `xml:"bugzilla"` ID string `xml:"id,attr"` URL string `xml:"href,attr"` Title string `xml:",chardata"` } // Debian : >definitions>definition>metadata>debian type Debian struct { XMLName xml.Name `xml:"debian"` MoreInfo string `xml:"moreinfo"` Date string `xml:"date"` } // Tests : >tests type Tests struct { XMLName xml.Name `xml:"tests"` LineTests []LineTest `xml:"line_test"` Version55Tests []Version55Test `xml:"version55_test"` } // LineTest : >tests>line_test type LineTest struct { XMLName xml.Name `xml:"line_test"` ID string `xml:"id,attr"` StateOperator string `xml:"state_operator,attr"` ObjectRefs []ObjectRef `xml:"object"` StateRefs []StateRef `xml:"state"` Comment string `xml:"comment,attr"` } // Version55Test : >tests>version55_test type Version55Test struct { XMLName xml.Name `xml:"version55_test"` ID string `xml:"id,attr"` StateOperator string `xml:"state_operator,attr"` ObjectRefs []ObjectRef `xml:"object"` StateRefs []StateRef `xml:"state"` Comment string `xml:"comment,attr"` } // ObjectRef : >tests>line_test>object-object_ref // : >tests>version55_test>object-object_ref type ObjectRef struct { XMLName xml.Name `xml:"object"` ObjectRef string `xml:"object_ref,attr"` } // StateRef : >tests>line_test>state-state_ref // : >tests>version55_test>state-state_ref type StateRef struct { XMLName xml.Name `xml:"state"` StateRef string `xml:"state_ref,attr"` } // Objects : >objects type Objects struct { XMLName xml.Name `xml:"objects"` LineObjects []LineObject `xml:"line_object"` Version55Objects []Version55Object `xml:"version55_object"` } // LineObject : >objects>line_object type LineObject struct { XMLName xml.Name `xml:"line_object"` ID string `xml:"id,attr"` ShowSubcommands []string `xml:"show_subcommand"` } // Version55Object : >objects>version55_object type Version55Object struct { XMLName xml.Name `xml:"version55_object"` ID string `xml:"id,attr"` } // States : >states type States struct { XMLName xml.Name `xml:"states"` LineStates []LineState `xml:"line_state"` Version55States []Version55State `xml:"version55_state"` } // LineState : >states>line_state type LineState struct { XMLName xml.Name `xml:"line_state"` ID string `xml:"id,attr"` ShowSubcommand string `xml:"show_subcommand"` ConfigLine ConfigLine `xml:"config_line"` } // ConfigLine : >states>line_state>config_line type ConfigLine struct { XMLName xml.Name `xml:"config_line"` Body string `xml:",chardata"` Operation string `xml:"operation,attr"` } // Version55State : >states>version55_state type Version55State struct { XMLName xml.Name `xml:"version55_state"` ID string `xml:"id,attr"` VersionString string `xml:"version_string"` } golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/testfile/000077500000000000000000000000001314404222300246225ustar00rootroot00000000000000golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/testfile/Red_Hat_Enterprise_Linux_7.xml000066400000000000000000273756321314404222300325100ustar00rootroot00000000000000 Red Hat OVAL Patch Definition Merger 3 5.10 2017-04-07T04:10:04 1491451780 RHSA-2014:0675: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0454 CVE-2014-0455 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2402 CVE-2014-2403 CVE-2014-2412 CVE-2014-2413 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 CVE-2014-1876 OpenJDK: insecure temporary file use in unpack200 (Libraries, 8033618) CVE-2014-2398 OpenJDK: insufficient escaping of window title string (Javadoc, 8026736) CVE-2014-0453 OpenJDK: RSA unpadding timing issues (Security, 8027766) CVE-2014-0429 OpenJDK: Incorrect mlib/raster image validation (2D, 8027841) CVE-2014-0457 OpenJDK: ServiceLoader Exception handling security bypass (Libraries, 8031394) CVE-2014-0456 OpenJDK: System.arraycopy() element race condition (Hotspot, 8029858) CVE-2014-2421 OpenJDK: JPEG decoder input stream handling (2D, 8029854) CVE-2014-2397 OpenJDK: classfile parser invalid BootstrapMethods attribute length (Hotspot, 8034926) CVE-2014-0455 OpenJDK: MethodHandle variable argument lists handling (Libraries, 8029844) CVE-2014-0461 OpenJDK: Better ScriptEngineManager ScriptEngine management (Libraries, 8036794) CVE-2014-2412 OpenJDK: AWT thread context handling (AWT, 8025010) CVE-2014-0451 OpenJDK: AWT incorrect FlavorMap seperation (AWT, 8026797) CVE-2014-0458 OpenJDK: Activation framework default command map caching (JAX-WS, 8025152) CVE-2014-2414 OpenJDK: incorrect caching of data initialized via TCCL (JAXB, 8025030) CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188) CVE-2014-0452 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801) CVE-2014-2402 OpenJDK: Incorrect NIO channel separation (Libraries, 8026716) CVE-2014-0446 OpenJDK: Protect logger handlers (Libraries, 8029740) CVE-2014-0454 OpenJDK: Prevent SIGNATURE_PRIMITIVE_SET from being modified (Security, 8029745) CVE-2014-2427 OpenJDK: remove insecure Java Sound provider caching (Sound, 8026163) CVE-2014-0460 OpenJDK: missing randomization of JNDI DNS client query IDs (JNDI, 8030731) CVE-2014-2403 OpenJDK: JAXP CharInfo file access restriction (JAXP, 8029282) CVE-2014-0459 lcms: insufficient ICC profile version validation (OpenJDK 2D, 8031335) CVE-2014-2413 OpenJDK: method handle call hierachy bypass (Libraries, 8032686) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0678: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A race condition flaw, leading to heap-based buffer overflows, was found in the way the Linux kernel's N_TTY line discipline (LDISC) implementation handled concurrent processing of echo output and TTY write operations originating from user space when the underlying TTY driver was PTY. An unprivileged, local user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-0196, Important) All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-0196 CVE-2014-0196 kernel: pty layer race condition leading to memory corruption cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0679: openssl security update (Important) Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. A remote attacker could possibly use this flaw to execute arbitrary code on a DTLS client or server. (CVE-2014-0195) Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of CVE-2014-0224, Jüri Aedla as the original reporter of CVE-2014-0195, Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix Gröbert and Ivan Fratrić of Google as the original reporters of CVE-2014-3470. All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. Important Copyright 2014 Red Hat, Inc. CVE-2010-5298 CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference in do_ssl3_write() CVE-2014-0224 openssl: SSL/TLS MITM vulnerability CVE-2014-0221 openssl: DoS when sending invalid DTLS handshake CVE-2014-0195 openssl: Buffer overflow via DTLS invalid fragment CVE-2014-3470 openssl: client-side denial of service when using anonymous ECDH cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0680: openssl098e security update (Important) Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. Important Copyright 2014 Red Hat, Inc. CVE-2014-0224 CVE-2014-0224 openssl: SSL/TLS MITM vulnerability cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0684: gnutls security update (Important) Red Hat Enterprise Linux 7 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) A NULL pointer dereference flaw was found in the way GnuTLS parsed X.509 certificates. A specially crafted certificate could cause a server or client application using GnuTLS to crash. (CVE-2014-3465) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted. Important Copyright 2014 Red Hat, Inc. CVE-2014-3465 CVE-2014-3466 CVE-2014-3465 gnutls: gnutls_x509_dn_oid_name NULL pointer dereference CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0685: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0460 CVE-2014-0461 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2403 CVE-2014-2412 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 CVE-2014-1876 OpenJDK: insecure temporary file use in unpack200 (Libraries, 8033618) CVE-2014-2398 OpenJDK: insufficient escaping of window title string (Javadoc, 8026736) CVE-2014-0453 OpenJDK: RSA unpadding timing issues (Security, 8027766) CVE-2014-0429 OpenJDK: Incorrect mlib/raster image validation (2D, 8027841) CVE-2014-0457 OpenJDK: ServiceLoader Exception handling security bypass (Libraries, 8031394) CVE-2014-0456 OpenJDK: System.arraycopy() element race condition (Hotspot, 8029858) CVE-2014-2421 OpenJDK: JPEG decoder input stream handling (2D, 8029854) CVE-2014-2397 OpenJDK: classfile parser invalid BootstrapMethods attribute length (Hotspot, 8034926) CVE-2014-0461 OpenJDK: Better ScriptEngineManager ScriptEngine management (Libraries, 8036794) CVE-2014-2412 OpenJDK: AWT thread context handling (AWT, 8025010) CVE-2014-0451 OpenJDK: AWT incorrect FlavorMap seperation (AWT, 8026797) CVE-2014-0458 OpenJDK: Activation framework default command map caching (JAX-WS, 8025152) CVE-2014-2414 OpenJDK: incorrect caching of data initialized via TCCL (JAXB, 8025030) CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188) CVE-2014-0452 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801) CVE-2014-0446 OpenJDK: Protect logger handlers (Libraries, 8029740) CVE-2014-2427 OpenJDK: remove insecure Java Sound provider caching (Sound, 8026163) CVE-2014-0460 OpenJDK: missing randomization of JNDI DNS client query IDs (JNDI, 8030731) CVE-2014-2403 OpenJDK: JAXP CharInfo file access restriction (JAXP, 8029282) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0686: tomcat security update (Important) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on the Tomcat server by sending a specially crafted request to that server. (CVE-2014-0186) It was found that when Tomcat 7 processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286) It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat 7 processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322) All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2013-4286 CVE-2013-4322 CVE-2014-0186 CVE-2013-4322 tomcat: incomplete fix for CVE-2012-3544 CVE-2013-4286 tomcat: multiple content-length header poisoning flaws CVE-2014-0186 tomcat7: RHEL-7 regression causing DoS cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0687: libtasn1 security update (Moderate) Red Hat Enterprise Linux 7 The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. All libtasn1 users are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the libtasn1 library must be restarted. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 CVE-2014-3467 libtasn1: multiple boundary check issues CVE-2014-3468 libtasn1: asn1_get_bit_der() can return negative bit length CVE-2014-3469 libtasn1: asn1_read_value_type() NULL pointer dereference cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0702: mariadb security update (Moderate) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2014-2436, CVE-2014-2440, CVE-2014-0384, CVE-2014-2419, CVE-2014-2430, CVE-2014-2431, CVE-2014-2432, CVE-2014-2438) These updated packages upgrade MariaDB to version 5.5.37. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-0384 mysql: unspecified DoS related to XML (CPU April 2014) CVE-2014-2419 mysql: unspecified DoS related to Partition (CPU April 2014) CVE-2014-2430 mysql: unspecified DoS related to Performance Schema (CPU April 2014) CVE-2014-2431 mysql: unspecified DoS related to Options (CPU April 2014) CVE-2014-2432 mysql: unspecified DoS related to Federated (CPU April 2014) CVE-2014-2436 mysql: unspecified vulnerability related to RBR (CPU April 2014) CVE-2014-2438 mysql: unspecified DoS related to Replication (CPU April 2014) CVE-2014-2440 mysql: unspecified vulnerability related to Client (CPU April 2014) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0703: json-c security update (Moderate) Red Hat Enterprise Linux 7 JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON-formatted strings, and parse JSON-formatted strings back into the C representation of JSON objects. Multiple buffer overflow flaws were found in the way the json-c library handled long strings in JSON documents. An attacker able to make an application using json-c parse excessively large JSON input could cause the application to crash. (CVE-2013-6370) A denial of service flaw was found in the implementation of hash arrays in json-c. An attacker could use this flaw to make an application using json-c consume an excessive amount of CPU time by providing a specially crafted JSON document that triggers multiple hash function collisions. To mitigate this issue, json-c now uses a different hash function and randomization to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2013-6371) These issues were discovered by Florian Weimer of the Red Hat Product Security Team. All json-c users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2014 Red Hat, Inc. CVE-2013-6370 CVE-2013-6371 CVE-2013-6371 json-c: hash collision DoS CVE-2013-6370 json-c: buffer overflow if size_t is larger than int cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0704: qemu-kvm security and bug fix update (Moderate) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a user-space component to run virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) This update also fixes the following bugs: * Prior to this update, a bug in the migration code caused the following error on specific machine types: after a Red Hat Enterprise Linux 6.5 guest was migrated from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host and then restarted, the boot failed and the guest automatically restarted. Thus, the guest entered an endless loop. With this update, the migration code has been fixed and the Red Hat Enterprise Linux 6.5 guests migrated in the aforementioned scenario now boot properly. (BZ#1091322) * Due to a regression bug in the iSCSI driver, the qemu-kvm process terminated unexpectedly with a segmentation fault when the "write same" command was executed in guest mode under the iSCSI protocol. This update fixes the regression and the "write same" command now functions in guest mode under iSCSI as intended. (BZ#1090978) * Due to a mismatch in interrupt request (IRQ) routing, migration of a Red Hat Enterprise Linux 6.5 guest from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host could produce a call trace. This happened if memory ballooning and a Universal Host Control Interface (UHCI) device were used at the same time on certain machine types. With this patch, the IRQ routing mismatch has been amended and the described migration now proceeds as expected. (BZ#1090981) * Previously, an internal error prevented KVM from executing a CPU hot plug on a Red Hat Enterprise Linux 7 guest running on a Red Hat Enterprise Linux 7 host. This update addresses the internal error and CPU hot plugging in the described scenario now functions correctly. (BZ#1094820) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-2894 CVE-2014-2894 QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400) Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host Hot plug CPU not working with RHEL6 machine types running on RHEL7 host. cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0741: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1533, CVE-2014-1538, CVE-2014-1541) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey, Abhishek Arya, and Nils as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 24.6.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 24.6.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1533 CVE-2014-1538 CVE-2014-1541 CVE-2014-1533 Mozilla: Miscellaneous memory safety hazards (rv:24.6) (MFSA 2014-48) CVE-2014-1538 Mozilla: Use-after-free and out of bounds issues found using Address Sanitizer (MFSA 2014-49) CVE-2014-1541 Mozilla: Use-after-free with SMIL Animation Controller (MFSA 2014-52) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:0786: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-3153, Important) * A use-after-free flaw was found in the way the ping_init_sock() function of the Linux kernel handled the group_info reference counter. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-2851, Important) * Use-after-free and information leak flaws were found in the way the Linux kernel's floppy driver processed the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use these flaws to escalate their privileges on the system. (CVE-2014-1737, CVE-2014-1738, Important) * It was found that the aio_read_events_ring() function of the Linux kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO ring head received from user space. A local, unprivileged user could use this flaw to disclose random parts of the (physical) memory belonging to the kernel and/or other processes. (CVE-2014-0206, Moderate) * An out-of-bounds memory access flaw was found in the Netlink Attribute extension of the Berkeley Packet Filter (BPF) interpreter functionality in the Linux kernel's networking implementation. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space via a specially crafted socket filter. (CVE-2014-3144, CVE-2014-3145, Moderate) * An information leak flaw was found in the way the skb_zerocopy() function copied socket buffers (skb) that are backed by user-space buffers (for example vhost-net and Xen netback), potentially allowing an attacker to read data from those buffers. (CVE-2014-2568, Low) Red Hat would like to thank Kees Cook of Google for reporting CVE-2014-3153 and Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of CVE-2014-3153. The CVE-2014-0206 issue was discovered by Mateusz Guzik of Red Hat. This update also fixes the following bugs: * Due to incorrect calculation of Tx statistics in the qlcninc driver, running the "ethtool -S ethX" command could trigger memory corruption. As a consequence, running the sosreport tool, that uses this command, resulted in a kernel panic. The problem has been fixed by correcting the said statistics calculation. (BZ#1104972) * When an attempt to create a file on the GFS2 file system failed due to a file system quota violation, the relevant VFS inode was not completely uninitialized. This could result in a list corruption error. This update resolves this problem by correctly uninitializing the VFS inode in this situation. (BZ#1097407) * Due to a race condition in the kernel, the getcwd() system call could return "/" instead of the correct full path name when querying a path name of a file or directory. Paths returned in the "/proc" file system could also be incorrect. This problem was causing instability of various applications. The aforementioned race condition has been fixed and getcwd() now always returns the correct paths. (BZ#1099048) In addition, this update adds the following enhancements: * The kernel mutex code has been improved. The changes include improved queuing of the MCS spin locks, the MCS code optimization, introduction of the cancellable MCS spin locks, and improved handling of mutexes without wait locks. (BZ#1103631, BZ#1103629) * The handling of the Virtual Memory Area (VMA) cache and huge page faults has been improved. (BZ#1103630) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-0206 CVE-2014-1737 CVE-2014-1738 CVE-2014-2568 CVE-2014-2851 CVE-2014-3144 CVE-2014-3145 CVE-2014-3153 CVE-2014-2568 kernel: net: potential information leak when ubuf backed skbs are skb_zerocopy()ied CVE-2014-2851 kernel: net: ping: refcount issue in ping_init_sock() function CVE-2014-1737 CVE-2014-1738 kernel: block: floppy: privilege escalation via FDRAWCMD floppy ioctl command CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring() CVE-2014-3144 CVE-2014-3145 Kernel: filter: prevent nla extensions to peek beyond the end of the message CVE-2014-3153 kernel: futex: pi futexes requeue issue cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0790: dovecot security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Dovecot is an IMAP server, written with security primarily in mind, for Linux and other UNIX-like systems. It also contains a small POP3 server. It supports mail in both the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. It was discovered that Dovecot did not properly discard connections trapped in the SSL/TLS handshake phase. A remote attacker could use this flaw to cause a denial of service on an IMAP/POP3 server by exhausting the pool of available connections and preventing further, legitimate connections to the IMAP/POP3 server to be made. (CVE-2014-3430) All dovecot users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the dovecot service will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3430 CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:0827: tomcat security update (Moderate) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0861: lzo security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 LZO is a portable lossless data compression library written in ANSI C. An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code. (CVE-2014-4607) Red Hat would like to thank Don A. Bailey from Lab Mouse Security for reporting this issue. All lzo users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the lzo library must be restarted or the system rebooted. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-4607 CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:0867: samba security update (Moderate) Red Hat Enterprise Linux 7 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the way the sys_recvfile() function of nmbd, the NetBIOS message block daemon, processed non-blocking sockets. An attacker could send a specially crafted packet that, when processed, would cause nmbd to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2014-0244) A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request. (CVE-2014-0178) It was discovered that smbd, the Samba file server daemon, did not properly handle certain files that were stored on the disk and used a valid Unicode character in the file name. An attacker able to send an authenticated non-Unicode request that attempted to read such a file could cause smbd to crash. (CVE-2014-3493) Red Hat would like to thank Daniel Berteaud of FIREWALL-SERVICES SARL for reporting CVE-2014-0244, and the Samba project for reporting CVE-2014-0178 and CVE-2014-3493. The Samba project acknowledges Christof Schmitt as the original reporter of CVE-2014-0178, and Simon Arlott as the original reporter of CVE-2014-3493. All Samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-0178 CVE-2014-0244 CVE-2014-3493 CVE-2014-0244 samba: nmbd denial of service CVE-2014-0178 samba: Uninitialized memory exposure CVE-2014-3493 samba: smbd unicode path names denial of service cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0889: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-4223, CVE-2014-4262, CVE-2014-2483) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-2483 CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 CVE-2014-4219 CVE-2014-4221 CVE-2014-4223 CVE-2014-4244 CVE-2014-4252 CVE-2014-4262 CVE-2014-4263 CVE-2014-4266 CVE-2014-4262 OpenJDK: AtomicReferenceFieldUpdater missing primitive type check (Libraries, 8039520) CVE-2014-4244 OpenJDK: RSA blinding issues (Security, 8031346) CVE-2014-4263 OpenJDK: insufficient Diffie-Hellman public key validation (Security, 8037162) CVE-2014-4221 OpenJDK: MethodHandles.Lookup insufficient modifiers checks (Libraries, 8035788) CVE-2014-4219 OpenJDK: Bytecode verification does not prevent ctor calls to this() and super() (Hotspot, 8035119) CVE-2014-2490 OpenJDK: Event logger format string vulnerability (Hotspot, 8037076) CVE-2014-4216 OpenJDK: Incorrect generic signature attribute parsing (Hotspot, 8037076) CVE-2014-4223 OpenJDK: Incorrect handling of invocations with exhausted ranks (Libraries, 8035793) CVE-2014-4209 OpenJDK: SubjectDelegator protection insufficient (JMX, 8029755) CVE-2014-4218 OpenJDK: Clone interfaces passed to proxy methods (Libraries, 8035009) CVE-2014-4252 OpenJDK: Prevent instantiation of service with non-public constructor (Security, 8035004) CVE-2014-4266 OpenJDK: InfoBuilder incorrect return values (Serviceability, 8033301) CVE-2014-2483 OpenJDK: Restrict use of privileged annotations (Libraries, 8034985) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:0907: java-1.6.0-openjdk security and bug fix update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2014-4262) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. This update also fixes the following bug: * Prior to this update, an application accessing an unsynchronized HashMap could potentially enter an infinite loop and consume an excessive amount of CPU resources. This update resolves this issue. (BZ#1115580) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 CVE-2014-4219 CVE-2014-4244 CVE-2014-4252 CVE-2014-4262 CVE-2014-4263 CVE-2014-4266 CVE-2014-4262 OpenJDK: AtomicReferenceFieldUpdater missing primitive type check (Libraries, 8039520) CVE-2014-4244 OpenJDK: RSA blinding issues (Security, 8031346) CVE-2014-4263 OpenJDK: insufficient Diffie-Hellman public key validation (Security, 8037162) CVE-2014-4219 OpenJDK: Bytecode verification does not prevent ctor calls to this() and super() (Hotspot, 8035119) CVE-2014-2490 OpenJDK: Event logger format string vulnerability (Hotspot, 8037076) CVE-2014-4216 OpenJDK: Incorrect generic signature attribute parsing (Hotspot, 8037076) CVE-2014-4209 OpenJDK: SubjectDelegator protection insufficient (JMX, 8029755) CVE-2014-4218 OpenJDK: Clone interfaces passed to proxy methods (Libraries, 8035009) CVE-2014-4252 OpenJDK: Prevent instantiation of service with non-public constructor (Security, 8035004) CVE-2014-4266 OpenJDK: InfoBuilder incorrect return values (Serviceability, 8033301) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2014:0914: libvirt security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file; parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system. (CVE-2014-0179) Red Hat would like to thank the upstream Libvirt project for reporting this issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the original reporters. This update also fixes the following bugs: * A previous update of the libvirt package introduced an error; a SIG_SETMASK argument was incorrectly replaced by a SIG_BLOCK argument after the poll() system call. Consequently, the SIGCHLD signal could be permanently blocked, which caused signal masks to not return to their original values and defunct processes to be generated. With this update, the original signal masks are restored and defunct processes are no longer generated. (BZ#1112689) * An attempt to start a domain that did not exist caused network filters to be locked for read-only access. As a consequence, when trying to gain read-write access, a deadlock occurred. This update applies a patch to fix this bug and an attempt to start a non-existent domain no longer causes a deadlock in the described scenario. (BZ#1112690) * Previously, the libvirtd daemon was binding only to addresses that were configured on certain network interfaces. When libvirtd started before the IPv4 addresses had been configured, libvirtd listened only on the IPv6 addresses. The daemon has been modified to not require an address to be configured when binding to a wildcard address, such as "0.0.0.0" or "::". As a result, libvirtd binds to both IPv4 and IPv6 addresses as expected. (BZ#1112692) Users of libvirt are advised to upgrade to these updated packages, which fix these bugs. After installing the updated packages, libvirtd will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-0179 CVE-2014-5177 CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read use of tls with libvirt.so can leave zombie processes nwfilter deadlock libvirt binds only to ipv6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0916: nss and nspr security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application. (CVE-2014-1544) Red Hat would like to thank the Mozilla project for reporting CVE-2014-1544. Upstream acknowledges Tyson Smith and Jesse Schwartzentruber as the original reporters. Users of NSS and NSPR are advised to upgrade to these updated packages, which correct this issue. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1544 CVE-2014-1544 nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0919: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, David Keeler, Byron Campen, Jethro Beekman, Patrick Cozzi, and Mozilla community member John as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 24.7.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 24.7.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1547 CVE-2014-1555 CVE-2014-1556 CVE-2014-1557 CVE-2014-1547 Mozilla: Miscellaneous memory safety hazards (rv:24.7) (MFSA 2014-56) CVE-2014-1555 Mozilla: Use-after-free with FireOnStateChange event (MFSA 2014-61) CVE-2014-1556 Mozilla: Exploitable WebGL crash with Cesium JavaScript library (MFSA 2014-62) CVE-2014-1557 Mozilla: Crash in Skia library when scaling high quality images (MFSA 2014-64) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:0921: httpd security update (Important) Red Hat Enterprise Linux 7 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352) A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash. (CVE-2014-0117) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2013-4352 CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 CVE-2014-0231 httpd: mod_cgid denial of service CVE-2014-0117 httpd: mod_proxy denial of service CVE-2014-0118 httpd: mod_deflate denial of service CVE-2014-0226 httpd: mod_status heap-based buffer overflow CVE-2013-4352 httpd: mod_cache NULL pointer dereference crash cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0923: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-4699, Important) Note: The CVE-2014-4699 issue only affected systems using an Intel CPU. * A flaw was found in the way the pppol2tp_setsockopt() and pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP implementation handled requests with a non-SOL_PPPOL2TP socket option level. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-4943, Important) Red Hat would like to thank Andy Lutomirski for reporting CVE-2014-4699, and Sasha Levin for reporting CVE-2014-4943. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-4699 CVE-2014-4943 CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address CVE-2014-4943 kernel: net: pppol2tp: level handling in pppol2tp_[s,g]etsockopt() cpe:/o:redhat:enterprise_linux:7 RHSA-2014:0927: qemu-kvm security and bug fix update (Moderate) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs: * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor's watch is re-created and the guest in the above scenario can communicate with the host as expected. (BZ#1110219) * Previously, the QEMU migration code did not account for the gaps caused by hot unplugged devices and thus expected more memory to be transferred during migrations. As a consequence, guest migration failed to complete after multiple devices were hot unplugged. In addition, the migration info text displayed erroneous values for the "remaining ram" item. With this update, QEMU calculates memory after a device has been unplugged correctly, and any subsequent guest migrations proceed as expected. (BZ#1110189) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2013-4148 CVE-2013-4149 CVE-2013-4150 CVE-2013-4151 CVE-2013-4527 CVE-2013-4529 CVE-2013-4535 CVE-2013-4536 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2014-0182 CVE-2014-0222 CVE-2014-0223 CVE-2014-3461 CVE-2013-4148 qemu: virtio-net: buffer overflow on invalid state load CVE-2013-4149 qemu: virtio-net: out-of-bounds buffer write on load CVE-2013-4150 qemu: virtio-net: out-of-bounds buffer write on invalid state load CVE-2013-4151 qemu: virtio: out-of-bounds buffer write on invalid state load CVE-2013-4527 qemu: hpet: buffer overrun on invalid state load CVE-2013-4529 qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load CVE-2013-6399 qemu: virtio: buffer overrun on incoming migration CVE-2013-4542 qemu: virtio-scsi: buffer overrun on invalid state load CVE-2013-4541 qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load CVE-2013-4535 CVE-2013-4536 qemu: virtio: insufficient validation of num_sg when mapping CVE-2014-0182 qemu: virtio: out-of-bounds buffer write on state load with invalid config_len CVE-2014-3461 Qemu: usb: fix up post load checks CVE-2014-0222 Qemu: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0223 Qemu: qcow1: validate image size to avoid out-of-bounds memory access qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi) migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics Reduce the migrate cache size during migration causes qemu segment fault Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1008: samba security and bug fix update (Important) Red Hat Enterprise Linux 7 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in Samba's NetBIOS message block daemon (nmbd). An attacker on the local network could use this flaw to send specially crafted packets that, when processed by nmbd, could possibly lead to arbitrary code execution with root privileges. (CVE-2014-3560) This update also fixes the following bug: * Prior to this update, Samba incorrectly used the O_TRUNC flag when using the open(2) system call to access the contents of a file that was already opened by a different process, causing the file's previous contents to be removed. With this update, the O_TRUNC flag is no longer used in the above scenario, and file corruption no longer occurs. (BZ#1115490) All Samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-3560 Samba file corruption as a result of failed lock check cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1011: resteasy-base security update (Moderate) Red Hat Enterprise Linux 7 RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3490 CVE-2014-3490 RESTEasy: XXE via parameter entities cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1013: php security update (Moderate) Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A denial of service flaw was found in the File Information (fileinfo) extension rules for detecting AWK files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of CPU. (CVE-2013-7345) Multiple denial of service flaws were found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash a PHP application using fileinfo via a specially crafted CDF file. (CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487) A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT records. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query. (CVE-2014-4049) A type confusion issue was found in PHP's phpinfo() function. A malicious script author could possibly use this flaw to disclose certain portions of server memory. (CVE-2014-4721) A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2014-3515) The CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, and CVE-2014-3487 issues were discovered by Francisco Alonso of Red Hat Product Security. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2013-7345 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-4049 CVE-2014-4721 CVE-2013-7345 file: extensive backtracking in awk rule regular expression CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check CVE-2014-0238 file: CDF property info parsing nelements infinite loop CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS CVE-2014-3480 file: cdf_count_chain insufficient boundary check CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check CVE-2014-3487 file: cdf_read_property_info insufficient boundary check CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw CVE-2014-4721 php: type confusion issue in phpinfo() leading to information leak cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1023: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that Linux kernel's ptrace subsystem did not properly sanitize the address-space-control bits when the program-status word (PSW) was being set. On IBM S/390 systems, a local, unprivileged user could use this flaw to set address-space-control bits to the kernel space, and thus gain read and write access to kernel memory. (CVE-2014-3534, Important) * It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process. (CVE-2014-0181, Moderate) * It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter. (CVE-2014-2672, Moderate) * A flaw was found in the way the Linux kernel performed forking inside of a transaction. A local, unprivileged user on a PowerPC system that supports transactional memory could use this flaw to crash the system. (CVE-2014-2673, Moderate) * A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system. (CVE-2014-2706, Moderate) * An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made. (CVE-2014-4667, Moderate) Red Hat would like to thank Martin Schwidefsky of IBM for reporting CVE-2014-3534, Andy Lutomirski for reporting CVE-2014-0181, and Gopal Reddy Kodudula of Nokia Siemens Networks for reporting CVE-2014-4667. This update also fixes the following bugs: * Due to a NULL pointer dereference bug in the IPIP and SIT tunneling code, a kernel panic could be triggered when using IPIP or SIT tunnels with IPsec. This update restructures the related code to avoid a NULL pointer dereference and the kernel no longer panics when using IPIP or SIT tunnels with IPsec. (BZ#1114957) * Previously, an IBM POWER8 system could terminate unexpectedly when the kernel received an IRQ while handling a transactional memory re-checkpoint critical section. This update ensures that IRQs are disabled in this situation and the problem no longer occurs. (BZ#1113150) * A missing read memory barrier, rmb(), in the bnx2x driver caused the kernel to crash under various circumstances. This problem has been fixed by adding an rmb() call to the relevant place in the bnx2x code. (BZ#1107721) * The hpwdt driver previously emitted a panic message that was misleading on certain HP systems. This update ensures that upon a kernel panic, hpwdt displays information valid on all HP systems. (BZ#1096961) * The qla2xxx driver has been upgraded to version 8.06.00.08.07.0-k3, which provides a number of bug fixes over the previous version in order to correct various timeout problems with the mailbox commands. (BZ#1112389) * The SCSI mid-layer could retry an I/O operation indefinitely if a storage array repeatedly returned a CHECK CONDITION status to that I/O operation but the sense data was invalid. This update fixes the problem by limiting a time for which is such an I/O operation retried. (BZ#1114468) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-0181 CVE-2014-2672 CVE-2014-2673 CVE-2014-2706 CVE-2014-3534 CVE-2014-4667 CVE-2014-2673 kernel: powerpc: tm: crash when forking inside a transaction CVE-2014-2672 kernel: ath9k: tid->sched race in ath_tx_aggr_sleep() CVE-2014-2706 Kernel: net: mac80211: crash dues to AP powersave TX vs. wakeup race CVE-2014-0181 kernel: net: insufficient permision checks of netlink messages CVE-2014-4667 kernel: sctp: sk_ack_backlog wrap-around problem CVE-2014-3534 kernel: s390: ptrace: insufficient sanitization when setting psw mask cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1031: 389-ds-base security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. It was found that when replication was enabled for each attribute in 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information. (CVE-2014-3562) This issue was discovered by Ludwig Krispenz of Red Hat. All 389-ds-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the 389 server service will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-3562 CVE-2014-3562 389-ds: unauthenticated information disclosure cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1034: tomcat security update (Low) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect. Low Copyright 2014 Red Hat, Inc. CVE-2014-0119 CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1052: openssl security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library. A race condition was found in the way OpenSSL handled ServerHello messages with an included Supported EC Point Format extension. A malicious server could possibly use this flaw to cause a multi-threaded TLS/SSL client using OpenSSL to write into freed memory, causing the client to crash or execute arbitrary code. (CVE-2014-3509) It was discovered that the OBJ_obj2txt() function could fail to properly NUL-terminate its output. This could possibly cause an application using OpenSSL functions to format fields of X.509 certificates to disclose portions of its memory. (CVE-2014-3508) A flaw was found in the way OpenSSL handled fragmented handshake packets. A man-in-the-middle attacker could use this flaw to force a TLS/SSL server using OpenSSL to use TLS 1.0, even if both the client and the server supported newer protocol versions. (CVE-2014-3511) Multiple flaws were discovered in the way OpenSSL handled DTLS packets. A remote attacker could use these flaws to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507) A NULL pointer dereference flaw was found in the way OpenSSL performed a handshake when using the anonymous Diffie-Hellman (DH) key exchange. A malicious server could cause a DTLS client using OpenSSL to crash if that client had anonymous DH cipher suites enabled. (CVE-2014-3510) All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2014-3508 openssl: information leak in pretty printing functions CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext CVE-2014-3505 openssl: DTLS packet processing double free CVE-2014-3506 openssl: DTLS memory exhaustion CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service CVE-2014-3511 openssl: TLS protocol downgrade attack cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards. It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid. (CVE-2014-1492) In addition, the nss, nss-util, and nss-softokn packages have been upgraded to upstream version 3.16.2, which provides a number of bug fixes and enhancements over the previous versions. (BZ#1124659) Users of NSS are advised to upgrade to these updated packages, which correct these issues and add these enhancements. After installing this update, applications using NSS must be restarted for this update to take effect. Low Copyright 2014 Red Hat, Inc. CVE-2014-1492 CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45) Rebase RHEL 7.0.Z to at least NSS 3.16.1 (FF 31) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1091: mod_wsgi security update (Important) Red Hat Enterprise Linux 7 The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. Red Hat would like to thank Graham Dumpleton for reporting this issue. Upstream acknowledges Róbert Kisteleki as the original reporter. All mod_wsgi users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-0240 CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1110: glibc security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-5119) A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-0475) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-0475. All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2014 Red Hat, Inc. CVE-2014-0475 CVE-2014-5119 CVE-2014-0475 glibc: directory traversal in LC_* locale handling CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find() cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2014:1144: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1562, CVE-2014-1567) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jan de Mooij as the original reporter of CVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 24.8.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 24.8.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1562 CVE-2014-1567 CVE-2014-1562 Mozilla: Miscellaneous memory safety hazards (rv:rv:24.8) (MFSA 2014-67) CVE-2014-1567 Mozilla: Use-after-free setting text directionality (MFSA 2014-72) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1146: httpcomponents-client security update (Important) Red Hat Enterprise Linux 7 HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-3577 CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1147: squid security update (Important) Red Hat Enterprise Linux 7 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. (CVE-2014-3609) Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Matthew Daley as the original reporter. All Squid users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the squid service will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-3609 CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1166: jakarta-commons-httpclient security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-3577 CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1172: procmail security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The procmail program is used for local mail delivery. In addition to just delivering mail, procmail can be used for automatic filtering, presorting, and other mail handling jobs. A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail. (CVE-2014-3618) All procmail users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-3618 CVE-2014-3618 procmail: Heap-overflow in procmail's formail utility when processing specially-crafted email headers cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1281: kernel security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system. (CVE-2014-3917, Moderate) This update also fixes the following bugs: * A bug in the mtip32xx driver could prevent the Micron P420m PCIe SSD devices with unaligned I/O access from completing the submitted I/O requests. This resulted in a livelock situation and rendered the Micron P420m PCIe SSD devices unusable. To fix this problem, mtip32xx now checks whether an I/O access is unaligned and if so, it uses the correct semaphore. (BZ#1125776) * A series of patches has been backported to improve the functionality of a touch pad on the latest Lenovo laptops in Red Hat Enterprise Linux 7. (BZ#1122559) * Due to a bug in the bnx2x driver, a network adapter could be unable to recover from EEH error injection. The network adapter had to be taken offline and rebooted in order to function properly again. With this update, the bnx2x driver has been corrected and network adapters now recover from EEH errors as expected. (BZ#1107722) * Previously, if an hrtimer interrupt was delayed, all future pending hrtimer events that were queued on the same processor were also delayed until the initial hrtimer event was handled. This could cause all hrtimer processing to stop for a significant period of time. To prevent this problem, the kernel has been modified to handle all expired hrtimer events when handling the initially delayed hrtimer event. (BZ#1113175) * A previous change to the nouveau driver introduced a bit shift error, which resulted in a wrong display resolution being set with some models of NVIDIA controllers. With this update, the erroneous code has been corrected, and the affected NVIDIA controllers can now set the correct display resolution. (BZ#1114869) * Due to a NULL pointer dereference bug in the be2net driver, the system could experience a kernel oops and reboot when disabling a network adapter after a permanent failure. This problem has been fixed by introducing a flag to keep track of the setup state. The failing adapter can now be disabled successfully without a kernel crash. (BZ#1122558) * Previously, the Huge Translation Lookaside Buffer (HugeTLB) allowed access to huge pages access by default. However, huge pages may be unsupported in some environments, such as a KVM guest on a PowerPC architecture, and an attempt to access a huge page in memory would result in a kernel oops. This update ensures that HugeTLB denies access to huge pages if the huge pages are not supported on the system. (BZ#1122115) * If an NVMe device becomes ready but fails to create I/O queues, the nvme driver creates a character device handle to manage such a device. Previously, a character device could be created before a device reference counter was initialized, which resulted in a kernel oops. This problem has been fixed by calling the relevant initialization function earlier in the code. (BZ#1119720) * On some firmware versions of the BladeEngine 3 (BE3) controller, interrupts remain disabled after a hardware reset. This was a problem for all Emulex-based network adapters using such a BE3 controller because these adapters would fail to recover from an EEH error if it occurred. To resolve this problem, the be2net driver has been modified to enable the interrupts in the eeh_resume handler explicitly. (BZ#1121712) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3917 CVE-2014-3917 kernel: DoS with syscall auditing cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1292: haproxy security update (Moderate) Red Hat Enterprise Linux 7 HAProxy provides high availability, load balancing, and proxying for TCP and HTTP-based applications. A buffer overflow flaw was discovered in the way HAProxy handled, under very specific conditions, data uploaded from a client. A remote attacker could possibly use this flaw to crash HAProxy. (CVE-2014-6269) All haproxy users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-6269 CVE-2014-6269 haproxy: remote client denial of service vulnerability cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1293: bash security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Critical Copyright 2014 Red Hat, Inc. CVE-2014-6271 CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1306: bash security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use "yum update" within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1307: nss security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters. All NSS users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, applications using NSS must be restarted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-1568 CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1319: xerces-j2 security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Apache Xerces for Java (Xerces-J) is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) All xerces-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Xerces-J must be restarted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2013-4002 CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1327: php security update (Moderate) Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A buffer overflow flaw was found in the way the File Information (fileinfo) extension processed certain Pascal strings. A remote attacker able to make a PHP application using fileinfo convert a specially crafted Pascal string provided by an image file could cause that application to crash. (CVE-2014-3478) Multiple flaws were found in the File Information (fileinfo) extension regular expression rules for detecting various files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of CPU. (CVE-2014-3538) It was found that the fix for CVE-2012-1571 was incomplete; the File Information (fileinfo) extension did not correctly parse certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. (CVE-2014-3587) It was found that PHP's gd extension did not properly handle file names with a null character. A remote attacker could possibly use this flaw to make a PHP application access unexpected files and bypass intended file system access restrictions. (CVE-2014-5120) A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file. (CVE-2014-2497) Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query. (CVE-2014-3597) Two use-after-free flaws were found in the way PHP handled certain Standard PHP Library (SPL) Iterators and ArrayIterators. A malicious script author could possibly use either of these flaws to disclose certain portions of server memory. (CVE-2014-4670, CVE-2014-4698) The CVE-2014-3478 issue was discovered by Francisco Alonso of Red Hat Product Security, the CVE-2014-3538 issue was discovered by Jan Kaluža of the Red Hat Web Stack Team, and the CVE-2014-3597 issue was discovered by David Kutálek of the Red Hat BaseOS QE. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-2497 CVE-2014-3478 CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm() CVE-2014-3538 file: unrestricted regular expression matching CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size CVE-2014-4698 php: ArrayIterator use-after-free due to object change during sorting CVE-2014-4670 php: SPL Iterators use-after-free CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info CVE-2014-3597 php: multiple buffer over-reads in php_parserr CVE-2014-5120 php: gd extension NUL byte injection in file names cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1352: libvirt security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. (CVE-2014-3633) A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657) The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat. This update also fixes the following bug: * Prior to this update, libvirt was setting the cpuset.mems parameter for domains with numatune/memory[nodeset] prior to starting them. As a consequence, domains with such a nodeset, which excluded the NUMA node with DMA and DMA32 zones (found in /proc/zoneinfo), could not be started due to failed KVM initialization. With this update, libvirt sets the cpuset.mems parameter after the initialization, and domains with any nodeset (in /numatune/memory) can be started without an error. (BZ#1135871) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3633 CVE-2014-3657 CVE-2014-3633 libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index CVE-2014-3657 libvirt: domain_conf: domain deadlock DoS cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1359: polkit-qt security update (Important) Red Hat Enterprise Linux 7 Polkit-qt is a library that lets developers use the PolicyKit API through a Qt-styled API. The polkit-qt library is used by the KDE Authentication Agent (KAuth), which is a part of kdelibs. It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations. This update modifies polkit-qt to communicate with PolicyKit via a different API that is not vulnerable to the race condition. (CVE-2014-5033) All polkit-qt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2014 Red Hat, Inc. CVE-2014-5033 CVE-2014-5033 polkit-qt: insecure calling of polkit cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1397: rsyslog security update (Important) Red Hat Enterprise Linux 7 The rsyslog packages provide an enhanced, multi-threaded syslog daemon that supports writing to relational databases, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grained output format control. A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon or, potentially, execute arbitrary code as the user running the rsyslog daemon. (CVE-2014-3634) Red Hat would like to thank Rainer Gerhards of rsyslog upstream for reporting this issue. All rsyslog users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the rsyslog service will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-3634 CVE-2014-3634 rsyslog: remote syslog PRI vulnerability cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1620: java-1.7.0-openjdk security and bug fix update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519) It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. (CVE-2014-6517) It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. (CVE-2014-6512) It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. (CVE-2014-6457) It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. (CVE-2014-6558) The CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product Security. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This update also fixes the following bug: * The TLS/SSL implementation in OpenJDK previously failed to handle Diffie-Hellman (DH) keys with more than 1024 bits. This caused client applications using JSSE to fail to establish TLS/SSL connections to servers using larger DH keys during the connection handshake. This update adds support for DH keys with size up to 2048 bits. (BZ#1148309) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509) CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564) CVE-2014-6504 OpenJDK: incorrect optimization of range checks in C2 compiler (Hotspot, 8022783) CVE-2014-6519 OpenJDK: missing BootstrapMethods bounds check (Hotspot, 8041717) CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274) CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797) CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066) CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846) CVE-2014-6517 OpenJDK: StAX parser parameter entity XXE (JAXP, 8039533) CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1634: java-1.6.0-openjdk security and bug fix update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519) It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. (CVE-2014-6517) It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. (CVE-2014-6512) It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. (CVE-2014-6457) It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. (CVE-2014-6558) The CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product Security. This update also fixes the following bug: * The TLS/SSL implementation in OpenJDK previously failed to handle Diffie-Hellman (DH) keys with more than 1024 bits. This caused client applications using JSSE to fail to establish TLS/SSL connections to servers using larger DH keys during the connection handshake. This update adds support for DH keys with size up to 2048 bits. (BZ#1148309) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509) CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564) CVE-2014-6504 OpenJDK: incorrect optimization of range checks in C2 compiler (Hotspot, 8022783) CVE-2014-6519 OpenJDK: missing BootstrapMethods bounds check (Hotspot, 8041717) CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274) CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797) CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066) CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846) CVE-2014-6517 OpenJDK: StAX parser parameter entity XXE (JAXP, 8039533) CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1635: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576, CVE-2014-1577) A flaw was found in the Alarm API, which allows applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass cross-origin restrictions. (CVE-2014-1583) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bobby Holley, Christian Holler, David Bolter, Byron Campen Jon Coppeard, Atte Kettunen, Holger Fuhrmannek, Abhishek Arya, regenrecht, and Boris Zbarsky as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 31.2.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.2.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1574 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1574 Mozilla: Miscellaneous memory safety hazards (rv:31.2) (MFSA 2014-74) CVE-2014-1576 Mozilla: Buffer overflow during CSS manipulation (MFSA 2014-75) CVE-2014-1577 Mozilla: Web Audio memory corruption issues with custom waveforms (MFSA 2014-76) CVE-2014-1578 Mozilla: Out-of-bounds write with WebM video (MFSA 2014-77) CVE-2014-1581 Mozilla: Use-after-free interacting with text directionality (MFSA 2014-79) CVE-2014-1583 Mozilla: Accessing cross-origin objects via the Alarms API (MFSA 2014-82) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1652: openssl security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1232123 A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. (CVE-2014-3513) A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. (CVE-2014-3567) All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to mitigate the CVE-2014-3566 issue and correct the CVE-2014-3513 and CVE-2014-3567 issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. Important Copyright 2014 Red Hat, Inc. CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1655: libxml2 security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The libxml2 library is a development toolbox providing the implementation of various XML standards. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (CVE-2014-3660) All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3660 CVE-2014-3660 libxml2: denial of service via recursive entity expansion cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1669: qemu-kvm security and bug fix update (Low) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest. (CVE-2014-3615) This issue was discovered by Laszlo Ersek of Red Hat. This update also fixes the following bug: * This update fixes a regression in the scsi_block_new_request() function, which caused all read requests to through SG_IO if the host cache was not used. (BZ#1141189) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Low Copyright 2014 Red Hat, Inc. CVE-2014-3615 CVE-2014-3615 Qemu: information leakage when guest sets high resolution cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1676: wireshark security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2014-6421, CVE-2014-6422, CVE-2014-6423, CVE-2014-6424, CVE-2014-6425, CVE-2014-6426, CVE-2014-6427, CVE-2014-6428) All wireshark users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 wireshark: DOS Sniffer file parser flaw (wnpa-sec-2014-19) CVE-2014-6428 wireshark: SES dissector crash (wnpa-sec-2014-18) CVE-2014-6427 wireshark: RTSP dissector crash (wnpa-sec-2014-17) CVE-2014-6426 wireshark: HIP dissector infinite loop (wnpa-sec-2014-16) CVE-2014-6425 wireshark: CUPS dissector crash (wnpa-sec-2014-15) CVE-2014-6424 wireshark: Netflow dissector crash (wnpa-sec-2014-14) CVE-2014-6423 wireshark: MEGACO dissector infinite loop (wnpa-sec-2014-13) CVE-2014-6421 CVE-2014-6422 wireshark: RTP dissector crash (wnpa-sec-2014-12) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1724: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important) * A NULL pointer dereference flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled simultaneous connections between the same hosts. A remote attacker could use this flaw to crash the system. (CVE-2014-5077, Important) * It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate) * A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. (CVE-2014-4653, Moderate) Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646. Bug fixes: * A known issue that could prevent Chelsio adapters using the cxgb4 driver from being initialized on IBM POWER8 systems has been fixed. These adapters can now be used on IBM POWER8 systems as expected. (BZ#1130548) * When bringing a hot-added CPU online, the kernel did not initialize a CPU mask properly, which could result in a kernel panic. This update corrects the bug by ensuring that the CPU mask is properly initialized and the correct NUMA node selected. (BZ#1134715) * The kernel could fail to bring a CPU online if the hardware supported both, the acpi-cpufreq and intel_pstate modules. This update ensures that the acpi-cpufreq module is not loaded in the intel_pstate module is loaded. (BZ#1134716) * Due to a bug in the time accounting of the kernel scheduler, a divide error could occur when hot adding a CPU. To fix this problem, the kernel scheduler time accounting has been reworked. (BZ#1134717) * The kernel did not handle exceptions caused by an invalid floating point control (FPC) register, resulting in a kernel oops. This problem has been fixed by placing the label to handle these exceptions to the correct place in the code. (BZ#1138733) * A previous change to the kernel for the PowerPC architecture changed implementation of the compat_sys_sendfile() function. Consequently, the 64-bit sendfile() system call stopped working for files larger than 2 GB on PowerPC. This update restores previous behavior of sendfile() on PowerPC, and it again process files bigger than 2 GB as expected. (BZ#1139126) * Previously, the kernel scheduler could schedule a CPU topology update even though the topology did not change. This could negatively affect the CPU load balancing, cause degradation of the system performance, and eventually result in a kernel oops. This problem has been fixed by skipping the CPU topology update if the topology has not actually changed. (BZ#1140300) * Previously, recovery of a double-degraded RAID6 array could, under certain circumstances, result in data corruption. This could happen because the md driver was using an optimization that is safe to use only for single-degraded arrays. This update ensures that this optimization is skipped during the recovery of double-degraded RAID6 arrays. (BZ#1143850) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-3611 CVE-2014-3645 CVE-2014-3646 CVE-2014-4653 CVE-2014-5077 CVE-2014-4653 Kernel: ALSA: control: do not access controls outside of protected regions CVE-2014-5077 Kernel: net: SCTP: fix a NULL pointer dereference during INIT collisions CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled CVE-2014-3611 kernel: kvm: PIT timer race condition cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1764: wget security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution. (CVE-2014-4877) Note: This update changes the default value of the --retr-symlinks option. The file symbolic links are now traversed by default and pointed-to files are retrieved rather than creating a symbolic link locally. Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter. All users of wget are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-4877 CVE-2014-4877 wget: FTP symlink arbitrary filesystem access cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1767: php security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_thumbnail() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2014-3670) An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash. (CVE-2014-3669) An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. (CVE-2014-3710) An out of bounds read flaw was found in the way the xmlrpc extension parsed dates in the ISO 8601 format. A specially crafted XML-RPC request or response could possibly cause a PHP application to crash. (CVE-2014-3668) The CVE-2014-3710 issue was discovered by Francisco Alonso of Red Hat Product Security. All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-3668 CVE-2014-3669 CVE-2014-3670 CVE-2014-3710 CVE-2014-3669 php: integer overflow in unserialize() CVE-2014-3670 php: heap corruption issue in exif_thumbnail() CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime() CVE-2014-3710 file: out-of-bounds read in elf note headers cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1795: cups-filters security update (Moderate) Red Hat Enterprise Linux 7 The cups-filters package contains backends, filters, and other software that was once part of the core CUPS distribution but is now maintained independently. An out-of-bounds read flaw was found in the way the process_browse_data() function of cups-browsed handled certain browse packets. A remote attacker could send a specially crafted browse packet that, when processed by cups-browsed, would crash the cups-browsed daemon. (CVE-2014-4337) A flaw was found in the way the cups-browsed daemon interpreted the "BrowseAllow" directive in the cups-browsed.conf file. An attacker able to add a malformed "BrowseAllow" directive to the cups-browsed.conf file could use this flaw to bypass intended access restrictions. (CVE-2014-4338) All cups-filters users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cups-browsed daemon will be restarted automatically. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-4337 CVE-2014-4338 CVE-2014-4338 cups-filters: unsupported BrowseAllow value lets cups-browsed accept from all hosts CVE-2014-4337 cups-filters: cups-browsed DoS via process_browse_data() OOB read cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1801: shim security update (Moderate) Red Hat Enterprise Linux 7 Shim is the initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. A heap-based buffer overflow flaw was found the way shim parsed certain IPv6 addresses. If IPv6 network booting was enabled, a malicious server could supply a crafted IPv6 address that would cause shim to crash or, potentially, execute arbitrary code. (CVE-2014-3676) An out-of-bounds memory write flaw was found in the way shim processed certain Machine Owner Keys (MOKs). A local attacker could potentially use this flaw to execute arbitrary code on the system. (CVE-2014-3677) An out-of-bounds memory read flaw was found in the way shim parsed certain IPv6 packets. A specially crafted DHCPv6 packet could possibly cause shim to crash, preventing the system from booting if IPv6 booting was enabled. (CVE-2014-3675) Red Hat would like to thank the SUSE Security Team for reporting these issues. All shim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3675 CVE-2014-3676 CVE-2014-3677 CVE-2014-3675 shim: out-of-bounds memory read flaw in DHCPv6 packet processing CVE-2014-3676 shim: heap-based buffer overflow flaw in IPv6 address parsing CVE-2014-3677 shim: memory corruption flaw when processing Machine Owner Keys (MOKs) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1826: libvncserver security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 LibVNCServer is a library that allows for easy creation of VNC server or client functionality. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code in the client. (CVE-2014-6051) A NULL pointer dereference flaw was found in LibVNCServer's framebuffer setup. A malicious VNC server could use this flaw to cause a VNC client to crash. (CVE-2014-6052) A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client. (CVE-2014-6053) A divide-by-zero flaw was found in the way LibVNCServer handled the scaling factor when it was set to "0". A remote attacker could use this flaw to crash the VNC server using a malicious VNC client. (CVE-2014-6054) Two stack-based buffer overflow flaws were found in the way LibVNCServer handled file transfers. A remote attacker could use this flaw to crash the VNC server using a malicious VNC client. (CVE-2014-6055) Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Nicolas Ruff as the original reporter. All libvncserver users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against libvncserver must be restarted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 CVE-2014-6051 libvncserver: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling CVE-2014-6052 libvncserver: NULL pointer dereference flaw in framebuffer setup CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling CVE-2014-6054 libvncserver: server divide-by-zero flaw in scaling factor handling CVE-2014-6055 libvncserver: server stacked-based buffer overflow flaws in file transfer handling cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1827: kdenetwork security update (Moderate) Red Hat Enterprise Linux 7 The kdenetwork packages contain networking applications for the K Desktop Environment (KDE). Krfb Desktop Sharing, which is a part of the kdenetwork package, is a server application that allows session sharing between users. Krfb uses the LibVNCServer library. A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client. (CVE-2014-6053) A divide-by-zero flaw was found in the way LibVNCServer handled the scaling factor when it was set to "0". A remote attacker could use this flaw to crash the VNC server using a malicious VNC client. (CVE-2014-6054) Two stack-based buffer overflow flaws were found in the way LibVNCServer handled file transfers. A remote attacker could use this flaw to crash the VNC server using a malicious VNC client. (CVE-2014-6055) Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Nicolas Ruff as the original reporter. Note: Prior to this update, the kdenetwork packages used an embedded copy of the LibVNCServer library. With this update, the kdenetwork packages have been modified to use the system LibVNCServer packages. Therefore, the update provided by RHSA-2014:1826 must be installed to fully address the issues in krfb described above. All kdenetwork users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of the krfb server must be restarted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling CVE-2014-6054 libvncserver: server divide-by-zero flaw in scaling factor handling CVE-2014-6055 libvncserver: server stacked-based buffer overflow flaws in file transfer handling cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1846: gnutls security update (Moderate) Red Hat Enterprise Linux 7 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2014-8564) Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Sean Burford as the original reporter. All gnutls users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-8564 CVE-2014-8564 gnutls: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1861: mariadb security update (Important) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2014-2494, CVE-2014-4207, CVE-2014-4243, CVE-2014-4258, CVE-2014-4260, CVE-2014-4287, CVE-2014-4274, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6484, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559) These updated packages upgrade MariaDB to version 5.5.40. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2012-5615 CVE-2014-2494 CVE-2014-4207 CVE-2014-4243 CVE-2014-4258 CVE-2014-4260 CVE-2014-4274 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6484 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 CVE-2014-2494 mysql: unspecified vulnerability related to ENARC (CPU July 2014) CVE-2014-4207 mysql: unspecified vulnerability related to SROPTZR (CPU July 2014) CVE-2014-4243 mysql: unspecified vulnerability related to ENFED (CPU July 2014) CVE-2014-4258 mysql: unspecified vulnerability related to SRINFOSC (CPU July 2014) CVE-2014-4260 mysql: unspecified vulnerability related to SRCHAR (CPU July 2014) CVE-2014-4274 mysql: unspecified MyISAM temporary file issue fixed in 5.5.39 and 5.6.20 CVE-2014-4287 mysql: unspecified vulnerability related to SERVER:CHARACTER SETS (CPU October 2014) CVE-2014-6463 mysql: unspecified vulnerability related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML (CPU October 2014) CVE-2014-6464 mysql: unspecified vulnerability related to SERVER:INNODB DML FOREIGN KEYS (CPU October 2014) CVE-2014-6469 mysql: unspecified vulnerability related to SERVER:OPTIMIZER (CPU October 2014) CVE-2014-6484 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014) CVE-2014-6505 mysql: unspecified vulnerability related to SERVER:MEMORY STORAGE ENGINE (CPU October 2014) CVE-2014-6507 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014) CVE-2014-6520 mysql: unspecified vulnerability related to SERVER:DDL (CPU October 2014) CVE-2014-6530 mysql: unspecified vulnerability related to CLIENT:MYSQLDUMP (CPU October 2014) CVE-2014-6551 mysql: unspecified vulnerability related to CLIENT:MYSQLADMIN (CPU October 2014) CVE-2014-6555 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014) CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014) cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1870: libXfont security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The libXfont packages provide the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. A use-after-free flaw was found in the way libXfont processed certain font files when attempting to add a new directory to the font path. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2014-0209) Multiple out-of-bounds write flaws were found in the way libXfont parsed replies received from an X.org font server. A malicious X.org server could cause an X client to crash or, possibly, execute arbitrary code with the privileges of the X.Org server. (CVE-2014-0210, CVE-2014-0211) Red Hat would like to thank the X.org project for reporting these issues. Upstream acknowledges Ilja van Sprundel as the original reporter. Users of libXfont should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-0209 CVE-2014-0210 CVE-2014-0211 CVE-2014-0209 libXfont: integer overflow of allocations in font metadata file parsing CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies CVE-2014-0211 libXfont: integer overflows calculating memory needs for xfs replies cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1912: ruby security update (Moderate) Red Hat Enterprise Linux 7 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. (CVE-2014-8080, CVE-2014-8090) A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash. (CVE-2014-4975) The CVE-2014-8090 issue was discovered by Red Hat Product Security. All ruby users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Ruby need to be restarted for this update to take effect. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-4975 CVE-2014-8080 CVE-2014-8090 CVE-2014-4975 ruby: off-by-one stack-based buffer overflow in the encodes() function CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1919: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593) A flaw was found in the Alarm API, which could allow applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass the same-origin policy. (CVE-2014-1594) This update disables SSL 3.0 support by default in Firefox. Details on how to re-enable SSL 3.0 support are available at: https://access.redhat.com/articles/1283153 Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas Werner, Joe Vennix, Berend-Jan Wever, Abhishek Arya, and Boris Zbarsky as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 31.3.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.3.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2014 Red Hat, Inc. CVE-2014-1587 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-1587 Mozilla: Miscellaneous memory safety hazards (rv:31.3) (MFSA 2014-83) CVE-2014-1590 Mozilla: XMLHttpRequest crashes with some input streams (MFSA 2014-85) CVE-2014-1592 Mozilla: Use-after-free during HTML5 parsing (MFSA 2014-87) CVE-2014-1593 Mozilla: Buffer overflow while parsing media content (MFSA 2014-88) CVE-2014-1594 Mozilla: Bad casting from the BasicThebesLayer to BasicContainerLayer (MFSA 2014-89) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1948: nss, nss-util, and nss-softokn security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1232123 The nss, nss-util, and nss-softokn packages have been upgraded to upstream version 3.16.2.3, which provides a number of bug fixes and enhancements over the previous version, and adds the support for Mozilla Firefox 31.3. (BZ#1158159, BZ#1165003, BZ#1165525) Users of nss, nss-util, and nss-softokn are advised to upgrade to these updated packages, which contain a backported patch to mitigate the CVE-2014-3566 issue, fix these bugs, and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-5.11.z] Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-6.6.Z] Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-7.0.Z] cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1956: wpa_supplicant security update (Moderate) Red Hat Enterprise Linux 7 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A command injection flaw was found in the way the wpa_cli utility executed action scripts. If wpa_cli was run in daemon mode to execute an action script (specified using the -a command line option), and wpa_supplicant was configured to connect to a P2P group, malicious P2P group parameters could cause wpa_cli to execute arbitrary code. (CVE-2014-3686) Red Hat would like to thank Jouni Malinen for reporting this issue. All wpa_supplicant users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-3686 CVE-2014-3686 wpa_supplicant and hostapd: wpa_cli and hostapd_cli remote command execution issue cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1971: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 * A flaw was found in the way the Linux kernel's SCTP implementation handled malformed or duplicate Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system. (CVE-2014-3673, CVE-2014-3687, Important) * A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service. (CVE-2014-3688, Important) * Two flaws were found in the way the Apple Magic Mouse/Trackpad multi-touch driver and the Minibox PicoLCD driver handled invalid HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3181, CVE-2014-3186, Moderate) * A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate) * A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-3631, Moderate) * Multiple flaws were found in the way the Linux kernel's ALSA implementation handled user controls. A local, privileged user could use either of these flaws to crash the system. (CVE-2014-4654, CVE-2014-4655, CVE-2014-4656, Moderate) * A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation. (CVE-2014-5045, Moderate) * A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low) * A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-6410, Low) * An information leak flaw in the way the Linux kernel handled media device enumerate entities IOCTL requests could allow a local user able to access the /dev/media0 device file to leak kernel memory bytes. (CVE-2014-1739, Low) * An out-of-bounds read flaw in the Logitech Unifying receiver driver could allow an attacker with physical access to the system to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3182, Low) * Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled invalid HID reports. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low) * An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) back end driver of the iSCSI Target subsystem could allow a privileged user to leak the contents of kernel memory to an iSCSI initiator remote client. (CVE-2014-4027, Low) * An information leak flaw in the Linux kernel's ALSA implementation could allow a local, privileged user to leak kernel memory to user space. (CVE-2014-4652, Low) Important Copyright 2014 Red Hat, Inc. CVE-2013-2929 CVE-2014-1739 CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-3631 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-4027 CVE-2014-4652 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-5045 CVE-2014-6410 CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests CVE-2014-4027 Kernel: target/rd: imformation leakage CVE-2014-1739 Kernel: drivers: media: an information leakage CVE-2014-4652 Kernel: ALSA: control: protect user controls against races & memory disclosure CVE-2014-4654 CVE-2014-4655 Kernel: ALSA: control: use-after-free in replacing user controls CVE-2014-4656 Kernel: ALSA: control: integer overflow in id.index & id.numid CVE-2014-5045 kernel: vfs: refcount issues during unmount on symlink CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver CVE-2014-3182 Kernel: HID: logitech-dj OOB array access CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routines CVE-2014-3185 Kernel: USB serial: memory corruption flaw CVE-2014-3186 Kernel: HID: memory corruption via OOB write CVE-2014-6410 kernel: udf: Avoid infinite loop when processing indirect ICBs CVE-2014-3673 kernel: sctp: skb_over_panic when receiving malformed ASCONF chunks CVE-2014-3687 kernel: net: sctp: fix panic on duplicate ASCONF chunks CVE-2014-3688 kernel: net: sctp: remote memory pressure from excessive queueing cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1976: rpm security update (Important) Red Hat Enterprise Linux 7 The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2013-6435) It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. (CVE-2014-8118) These issues were discovered by Florian Weimer of Red Hat Product Security. All rpm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2013-6435 CVE-2014-8118 CVE-2013-6435 rpm: race condition during the installation process CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1983: xorg-x11-server security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2014-8092, CVE-2014-8093, CVE-2014-8098) It was found that the X.Org server did not properly handle SUN-DES-1 (Secure RPC) authentication credentials. A malicious, unauthenticated client could use this flaw to crash the X.Org server by submitting a specially crafted authentication request. (CVE-2014-8091) Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server, or leak memory contents to the client. (CVE-2014-8097) An integer overflow flaw was found in the way the X.Org server calculated memory requirements for certain DRI2 extension requests. A malicious, authenticated client could use this flaw to crash the X.Org server. (CVE-2014-8094) Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. (CVE-2014-8095, CVE-2014-8096, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, CVE-2014-8103) All xorg-x11-server users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2014 Red Hat, Inc. CVE-2014-8091 CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 CVE-2014-8091 xorg-x11-server: denial of service due to unchecked malloc in client authentication CVE-2014-8092 xorg-x11-server: integer overflow in X11 core protocol requests when calculating memory needs for requests CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests CVE-2014-8094 xorg-x11-server: integer overflow in DRI2 extension function ProcDRI2GetBuffers() CVE-2014-8095 xorg-x11-server: out of bounds access due to not validating length or offset values in XInput extension CVE-2014-8096 xorg-x11-server: out of bounds access due to not validating length or offset values in XC-MISC extension CVE-2014-8097 xorg-x11-server: out of bounds access due to not validating length or offset values in DBE extension CVE-2014-8098 xorg-x11-server: out of bounds access due to not validating length or offset values in GLX extension CVE-2014-8099 xorg-x11-server: out of bounds access due to not validating length or offset values in XVideo extension CVE-2014-8100 xorg-x11-server: out of bounds access due to not validating length or offset values in Render extension CVE-2014-8101 xorg-x11-server: out of bounds access due to not validating length or offset values in RandR extension CVE-2014-8102 xorg-x11-server: out of bounds access due to not validating length or offset values in XFixes extension CVE-2014-8103 xorg-x11-server: out of bounds access due to not validating length or offset values in DRI3 & Present extensions cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:1984: bind security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. (CVE-2014-8500) All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-8500 CVE-2014-8500 bind: delegation handling denial of service cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2014:1999: mailx security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The mailx packages contain a mail user agent that is used to manage mail using scripts. A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. (CVE-2004-2771, CVE-2014-7844) Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with "-" (so that they can be confused with mailx options). To counteract this issue, this update also introduces the "--" option, which will treat the remaining command line arguments as email addresses. All mailx users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2014 Red Hat, Inc. CVE-2004-2771 CVE-2014-7844 CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:2010: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-9322, Important) Red Hat would like to thank Andy Lutomirski for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-9322 CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility cpe:/o:redhat:enterprise_linux:7 RHSA-2014:2021: jasper security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-9029) A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138) A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8137) Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter. All JasPer users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All applications using the JasPer libraries must be restarted for the update to take effect. Important Copyright 2014 Red Hat, Inc. CVE-2014-8137 CVE-2014-8138 CVE-2014-9029 CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009) CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012) CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2014:2023: glibc security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was found that the wordexp() function would perform command substitution even when the WRDE_NOCMD flag was specified. An attacker able to provide specially crafted input to an application using the wordexp() function, and not sanitizing the input correctly, could potentially use this flaw to execute arbitrary commands with the credentials of the user running that application. (CVE-2014-7817) This issue was discovered by Tim Waugh of the Red Hat Developer Experience Team. This update also fixes the following bug: * Prior to this update, if a file stream that was opened in append mode and its underlying file descriptor were used at the same time and the file was truncated using the ftruncate() function on the file descriptor, a subsequent ftell() call on the stream incorrectly modified the file offset by seeking to the new end of the file. This update ensures that ftell() modifies the state of the file stream only when it is in append mode and its buffer is not empty. As a result, the described incorrect changes to the file offset no longer occur. (BZ#1170187) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2014 Red Hat, Inc. CVE-2014-7817 CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Problems when using ftruncate on files opened in append mode cpe:/o:redhat:enterprise_linux:7 RHSA-2014:2024: ntp security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. Important Copyright 2014 Red Hat, Inc. CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets CVE-2014-9296 ntp: receive() missing return on error cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0008: libvirt security and bug fix update (Low) Red Hat Enterprise Linux 7 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This issue was discovered by Eric Blake of Red Hat. This update also fixes the following bugs: * In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted. However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message. Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits. (BZ#1150379) * Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124) * If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically. Low Copyright 2015 Red Hat, Inc. CVE-2014-7823 attempts to live snapshot merge (commit) of the active layer hang CVE-2014-7823 libvirt: dumpxml: information leak with migratable flag libvirtd occasionally crashes at the end of migration cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0046: firefox security and bug fix update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-8634, CVE-2014-8639, CVE-2014-8641) It was found that the Beacon interface implementation in Firefox did not follow the Cross-Origin Resource Sharing (CORS) specification. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (XSRF) attack. (CVE-2014-8638) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Patrick McManus, Muneaki Nishimura, Xiaofeng Zheng, and Mitchell Harper as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 31.4.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. This update also fixes the following bug: * The default dictionary for Firefox's spell checker is now correctly set to the system's locale language. (BZ#643954, BZ#1150572) All Firefox users should upgrade to these updated packages, which contain Firefox version 31.4.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 default spellchecker dictionary is not correct for firefox default spellchecker dictionary is not correct for firefox CVE-2014-8634 Mozilla: Miscellaneous memory safety hazards (rv:31.4) (MFSA 2015-01) CVE-2014-8638 Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03) CVE-2014-8639 Mozilla: Cookie injection through Proxy Authenticate responses (MFSA 2015-04) CVE-2014-8641 Mozilla: Read-after-free in WebRTC (MFSA 2015-06) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0066: openssl security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash. (CVE-2014-3571) A memory leak flaw was found in the way the dtls1_buffer_record() function of OpenSSL parsed certain DTLS messages. A remote attacker could send multiple specially crafted DTLS messages to exhaust all available memory of a DTLS server. (CVE-2015-0206) It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. (CVE-2014-3570) It was discovered that OpenSSL would perform an ECDH key exchange with a non-ephemeral key even when the ephemeral ECDH cipher suite was selected. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method than the one requested by the user. (CVE-2014-3572) It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) Multiple flaws were found in the way OpenSSL parsed X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2014-8275) It was found that an OpenSSL server would, under certain conditions, accept Diffie-Hellman client certificates without the use of a private key. An attacker could use a user's client certificate to authenticate as that user, without needing the private key. (CVE-2015-0205) All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to mitigate the above issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites CVE-2014-3572 openssl: ECDH downgrade bug fix CVE-2014-8275 openssl: Fix various certificate fingerprint issues CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record CVE-2015-0205 openssl: DH client certificates accepted without verification CVE-2014-3570 openssl: Bignum squaring may produce incorrect results cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0067: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807) CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982) CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367) CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309) CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125) CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304) CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485) CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555) CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489) CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276) CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0074: jasper security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8157) An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8158) Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges pyddeh as the original reporter. All JasPer users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All applications using the JasPer libraries must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-8157 CVE-2014-8158 CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001) CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0085: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807) CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982) CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367) CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309) CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125) CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304) CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485) CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555) CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489) CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276) CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:0092: glibc security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235) Red Hat would like to thank Qualys for reporting this issue. All glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Critical Copyright 2015 Red Hat, Inc. CVE-2015-0235 CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0100: libyaml security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 YAML is a data serialization format designed for human readability and interaction with scripting languages. LibYAML is a YAML parser and emitter written in C. An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. (CVE-2014-9130) All libyaml users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the libyaml library must be restarted for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9130 CVE-2014-9130 libyaml: assert failure when processing wrapped strings cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0102: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's SCTP implementation validated INIT chunks when performing Address Configuration Change (ASCONF). A remote attacker could use this flaw to crash the system by sending a specially crafted SCTP packet to trigger a NULL pointer dereference on the system. (CVE-2014-7841, Important) * A race condition flaw was found in the way the Linux kernel's mmap(2), madvise(2), and fallocate(2) system calls interacted with each other while operating on virtual memory file system files. A local user could use this flaw to cause a denial of service. (CVE-2014-4171, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel's Common Internet File System (CIFS) implementation handled mounting of file system shares. A remote attacker could use this flaw to crash a client system that would mount a file system share from a malicious server. (CVE-2014-7145, Moderate) * A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system. (CVE-2014-7822, Moderate) * It was found that the parse_rock_ridge_inode_internal() function of the Linux kernel's ISOFS implementation did not correctly check relocated directories when processing Rock Ridge child link (CL) tags. An attacker with physical access to the system could use a specially crafted ISO image to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-5471, CVE-2014-5472, Low) Red Hat would like to thank Akira Fujita of NEC for reporting the CVE-2014-7822 issue. The CVE-2014-7841 issue was discovered by Liu Wei of Red Hat. This update also fixes the following bugs: * Previously, a kernel panic could occur if a process reading from a locked NFS file was killed and the lock was not released properly before the read operations finished. Consequently, the system crashed. The code handling file locks has been fixed, and instead of halting, the system now emits a warning about the unreleased lock. (BZ#1172266) * A race condition in the command abort handling logic of the ipr device driver could cause the kernel to panic when the driver received a response to an abort command prior to receiving other responses to the aborted command due to the support for multiple interrupts. With this update, the abort handler waits for the aborted command's responses first before completing an abort operation. (BZ#1162734) * Previously, a race condition could occur when changing a Page Table Entry (PTE) or a Page Middle Directory (PMD) to "pte_numa" or "pmd_numa", respectively, causing the kernel to crash. This update removes the BUG_ON() macro from the __handle_mm_fault() function, preventing the kernel panic in the aforementioned scenario. (BZ#1170662) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-4171 CVE-2014-5471 CVE-2014-5472 CVE-2014-7145 CVE-2014-7822 CVE-2014-7841 CVE-2014-4171 Kernel: mm/shmem: denial of service CVE-2014-5471 CVE-2014-5472 kernel: isofs: unbound recursion when processing relocated directories CVE-2014-7145 Kernel: cifs: NULL pointer dereference in SMB2_tcon CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet CVE-2014-7822 kernel: splice: lack of generic write checks cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0118: mariadb security update (Moderate) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-0381, CVE-2015-0382, CVE-2015-0391, CVE-2015-0411, CVE-2015-0432, CVE-2014-6568, CVE-2015-0374) These updated packages upgrade MariaDB to version 5.5.41. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0411 CVE-2015-0432 CVE-2014-6568 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU Jan 2015) CVE-2015-0374 mysql: unspecified vulnerability related to Server:Security:Privileges:Foreign Key (CPU Jan 2015) CVE-2015-0381 mysql: unspecified vulnerability related to Server:Replication (CPU Jan 2015) CVE-2015-0382 mysql: unspecified vulnerability related to Server:Replication (CPU Jan 2015) CVE-2015-0391 mysql: unspecified vulnerability related to Server:DDL (CPU Jan 2015) CVE-2015-0411 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU Jan 2015) CVE-2015-0432 mysql: unspecified vulnerability related to Server:InnoDB:DDL:Foreign Key (CPU Jan 2015) cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0166: subversion security update (Moderate) Red Hat Enterprise Linux 7 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 CVE-2014-3528 subversion: credentials leak via MD5 collision CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0252: samba security update (Important) Red Hat Enterprise Linux 7 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user). (CVE-2015-0240) For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1346913 Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Richard van Eeden of Microsoft Vulnerability Research as the original reporter of this issue. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-0240 CVE-2015-0240 samba: talloc free on uninitialized stack pointer in netlogon server could lead to remote-code execution cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0265: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827) An information leak flaw was found in the way Firefox implemented autocomplete forms. An attacker able to trick a user into specifying a local file in the form could use this flaw to access the contents of that file. (CVE-2015-0822) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Paul Bandha, Abhishek Arya, and Armin Razmdjou as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 31.5.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.5.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836 CVE-2015-0836 Mozilla: Miscellaneous memory safety hazards (rv:31.5) (MFSA 2015-11) CVE-2015-0831 Mozilla: Use-after-free in IndexedDB (MFSA 2015-16) CVE-2015-0827 Mozilla: Out-of-bounds read and write while rendering SVG content (MFSA 2015-19) CVE-2015-0822 Mozilla: Reading of local files through manipulation of form autocomplete (MFSA 2015-24) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0290: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. (CVE-2015-0274, Important) * It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause denial of service on the system. (CVE-2014-3690, Moderate) * A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate) * An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's perf subsystem. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-7825, Moderate) * An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's ftrace subsystem. On a system with ftrace syscall tracing enabled, a local, unprivileged user could use this flaw to crash the system, or escalate their privileges. (CVE-2014-7826, Moderate) * A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate) * A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system. (CVE-2014-8160, Moderate) * It was found that due to excessive files_lock locking, a soft lockup could be triggered in the Linux kernel when performing asynchronous I/O operations. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8172, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8173, Moderate) * An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low) * A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge DEC USB device driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges on the system. (CVE-2014-8884, Low) Red Hat would like to thank Eric Windisch of the Docker project for reporting CVE-2015-0274, Andy Lutomirski for reporting CVE-2014-3690, and Robert Święcki for reporting CVE-2014-7825 and CVE-2014-7826. This update also fixes several hundred bugs and adds numerous enhancements. Refer to the Red Hat Enterprise Linux 7.1 Release Notes for information on the most significant of these changes, and the following Knowledgebase article for further information: https://access.redhat.com/articles/1352803 All Red Hat Enterprise Linux 7 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-3690 CVE-2014-3940 CVE-2014-7825 CVE-2014-7826 CVE-2014-8086 CVE-2014-8160 CVE-2014-8172 CVE-2014-8173 CVE-2014-8709 CVE-2014-8884 CVE-2015-0274 Trigger RHEL7 crash in guest domU, host don't generate core file RFE: Multiple virtio-rng devices support enable online multiple hot-added CPUs cause RHEL7.0 guest hang(soft lockup) guest screen fail to return back to the originally screen after resume from S3(still black screen) lockdep warning in flush_work() when hotunplugging a virtio-scsi disk (scsi-block + iscsi://) [RFE] btrfs-progs: btrfs resize doesn't support T/P/E suffix Size of external origin needs to be aligned with thin pool chunk size Virt-manager doesn't configure bridge for VM implement lazy save/restore of debug registers FCoE target: kernel panic when initiator connects to target kvm unit test "realmode" fails During query cpuinfo during guest boot from ipxe repeatedly in AMD hosts, vm repeatedly reboot. kvm unit test "debug" fails dm-cache: crash on creating cache kernel panic when virtscsi_init fails libguestfs-test-tool hangs when the guest is boot with -cpu host fail to boot L2 guest on wildcatpass Haswell host qemu ' KVM internal error. Suberror: 1' when query cpu frequently during pxe boot in Intel "Q95xx" host Windows guest booting failed with apicv and hv_vapic RHEL7.0 guest hang during kdump with qxl shared irq sync with latest upstream dm-thin provisioning improvements and fixes (through 3.15) BUG: It is not possible to communicate between local program and local ipv6 address when at least one 'netlabelctl unlbl' rule is added CVE-2014-3940 Kernel: missing check during hugepage migration [xfs] can't create inodes in newly added space after xfs_growfs Support for movntdq BUG: NetLabel lead to kernel panic on some SELinux levels unable recover NFSv3 locks NLM_DENIED_NOLOCK [fuse] java.io.FileNotFoundException (FNF) during time period with unrecovered disk errors Include fix commit daba287b299ec7a ("ipv4: fix DO and PROBE pmtu mode regarding local fragmentation with UFO/CORK") Solarflare devices do not provide PCIe ACS support, limiting device assignment use case due to IOMMU grouping Device 'vfio-pci' could not be initialized when passing through Intel 82599 CVE-2014-8086 Kernel: fs: ext4 race condition CVE-2014-3690 kernel: kvm: vmx: invalid host cr4 handling across vm entries CVE-2014-7825 CVE-2014-7826 kernel: insufficient syscall number validation in perf and ftrace subsystems CVE-2014-8884 kernel: usb: buffer overflow in ttusb-dec CVE-2014-8709 kernel: net: mac80211: plain text information leak CVE-2014-8160 kernel: iptables restriction bypass if a protocol handler kernel module not loaded CVE-2015-0274 kernel: xfs: replacing remote attributes memory corruption CVE-2014-8173 kernel: NULL pointer dereference in madvise(MADV_WILLNEED) support CVE-2014-8172 kernel: soft lockup on aio cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0301: hivex security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Hive files are undocumented binary files that Windows uses to store the Windows Registry on disk. Hivex is a library that can read and write to these files. It was found that hivex attempted to read beyond its allocated buffer when reading a hive file with a very small size or with a truncated or improperly formatted content. An attacker able to supply a specially crafted hive file to an application using the hivex library could possibly use this flaw to execute arbitrary code with the privileges of the user running that application. (CVE-2014-9273) Red Hat would like to thank Mahmoud Al-Qudsi of NeoSmart Technologies for reporting this issue. The hivex package has been upgraded to upstream version 1.3.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#1023978) This update also fixes the following bugs: * Due to an error in the hivex_value_data_cell_offset() function, the hivex utility could, in some cases, print an "Argument list is too long" message and terminate unexpectedly when processing hive files from the Windows Registry. This update fixes the underlying code and hivex now processes hive files as expected. (BZ#1145056) * A typographical error in the Win::Hivex.3pm manual page has been corrected. (BZ#1099286) Users of hivex are advised to upgrade to these updated packages, which correct these issues and adds these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9273 Rebase hivex in RHEL 7.1 typo error in man page hivexml generate "Argument list too long" on some Windows Registry CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1] CVE-2014-9273 hivex: missing checks for small-sized files cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0323: libvirt security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. It was found that QEMU's qemuDomainMigratePerform() and qemuDomainMigrateFinish2() functions did not correctly perform a domain unlock on a failed ACL check. A remote attacker able to establish a connection to libvirtd could use this flaw to lock a domain of a more privileged user, causing a denial of service. (CVE-2014-8136) It was discovered that the virDomainSnapshotGetXMLDesc() and virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were enabled. A remote attacker able to establish a connection to libvirtd could use this flaw to obtain certain sensitive information from the domain XML file. (CVE-2015-0236) The CVE-2015-0236 issue was found by Luyao Huang of Red Hat. Bug fixes: * The libvirtd daemon previously attempted to search for SELinux contexts even when SELinux was disabled on the host. Consequently, libvirtd logged "Unable to lookup SELinux process context" error messages every time a client connected to libvirtd and SELinux was disabled. libvirtd now verifies whether SELinux is enabled before searching for SELinux contexts, and no longer logs the error messages on a host with SELinux disabled. (BZ#1135155) * The libvirt utility passed incomplete PCI addresses to QEMU. Consequently, assigning a PCI device that had a PCI address with a non-zero domain to a guest failed. Now, libvirt properly passes PCI domain to QEMU when assigning PCI devices, which prevents the described problem. (BZ#1127080) * Because the virDomainSetMaxMemory API did not allow changing the current memory in the LXC driver, the "virsh setmaxmem" command failed when attempting to set the maximum memory to be lower than the current memory. Now, "virsh setmaxmem" sets the current memory to the intended value of the maximum memory, which avoids the mentioned problem. (BZ#1091132) * Attempting to start a non-existent domain caused network filters to stay locked for read-only access. Because of this, subsequent attempts to gain read-write access to network filters triggered a deadlock. Network filters are now properly unlocked in the described scenario, and the deadlock no longer occurs. (BZ#1088864) * If a guest configuration had an active nwfilter using the DHCP snooping feature and an attempt was made to terminate libvirtd before the associated nwfilter rule snooped the guest IP address from DHCP packets, libvirtd became unresponsive. This problem has been fixed by setting a longer wait time for snooping the guest IP address. (BZ#1075543) Enhancements: * A new "migrate_host" option is now available in /etc/libvirt/qemu.conf, which allows users to set a custom IP address to be used for incoming migrations. (BZ#1087671) * With this update, libvirt is able to create a compressed memory-only crash dump of a QEMU domain. This type of crash dump is directly readable by the GNU Debugger and requires significantly less hard disk space than the standard crash dump. (BZ#1035158) * Support for reporting the NUMA node distance of the host has been added to libvirt. This enhances the current libvirt capabilities for reporting NUMA topology of the host, and allows for easier optimization of new domains. (BZ#1086331) * The XML file of guest and host capabilities generated by the "virsh capabilities" command has been enhanced to list the following information, where relevant: the interface speed and link status of the host, the PCI Express (PCIe) details, the host's hardware support for I/O virtualization, and a report on the huge memory pages. (BZ#1076960, BZ#1076957, BZ#1076959, BZ#1076962) These packages also include a number of other bug fixes and enhancements. For additional details, see the "Bugs Fixed" section below. Low Copyright 2015 Red Hat, Inc. CVE-2014-8136 CVE-2015-0236 [TestOnly] qemu truncates JSON numbers >= 0x8000_0000_0000_0000 Error reporting when qemu terminates unexpectedly is inconsistent and sometimes unhelpful Libvirt is sensitive to the order in which the video devices are passed List available LXC consoles using container_ttys env variable clear the error message when dump a guest with pass-through device create external checkpoint snapshot will change the guest pmsuspended state and guest hang forever Virsh command will delay a long time if restart libvirtd with many virtual networks running virsh iface-dumpxml or virt-manager reports "bond interface misses the bond element" for inactive bond interfaces Guest can use inactive macvtap-passthrough network Missing auditing for serial, parallel, channel, console and smartcard devices blockcopy to cifs fails virsh snapshot-delete --children-only bypasses safety check for deleting disk-only children support libiscsi for SCSI passthrough devices Stable SCSI host addressing virConnectDomainEventRTCChangeCallback returns wrong offset Lockfailure action Ignore will lead to sanlock rem_lockspace stuck Lockfailure action Restart can shutdown the guest but fail to start it WWN option for Hot Attaching SCSI Disks The running Guest was paused while cancel the migration on the third machine Some flag values of method are missing in libvirt-python bindings virsh vcpuinfo output is difficult to read with large cpu counts Provide option to enable/disable 64-bit PCI hole Fail to modify the name attribute of ipv6 dhcp host via virsh net-update Separate limits for anonymous and authenticated users Documentation for virDomainLookupBy* should mention caller's responsibility to free virDomainPtr Domain without autostart can't be resumed by the libvirt-guests script after rebooting the host domdisplay should show all URI if config both vnc and spice in guest Policy denies libvirtd the permission to relabel unix domain sockets need add "interface" to virt-xml-validate manual page The cpu_shares value of domain xml should be consistent with return value of schedinfo. libvirt should forbid to attach a device with boot order for the first time if the os/boot element exists [RFE] Support for qemu-kvm's "-boot splash_time" parameter In man page of virsh, a typo 'COMMMANDS' displays three times [virsh cmd] Error message is not clear for commands blkiotune and schedinfo autoport='yes' doesn't skip over ports in use with IPv6 Fail to start lxc with disabled selinux due to the existed empty /selinux Error message is not clear for command nwfilter-define under non-root user. Libvirt can not update/modify queues value of interface element using update-device command document need to pass image name for block backed disks with --disk-only Nodedev-destroy commands both doc and error message when destroy HBA are not clear domain xml: libvirt should take defaultMode value into account when discarding <channel ... mode='MODE'/> entries Stable guest ABI doesn't check redirected usb device Start autostarted virtual networks in background [NFR] libvirt: Returning the allocation watermark for all the images opened for writing during block-commit virsh command domiftune bound parameter checking error Can't set the timer base as localtime once localtime is used in the variable attribute. VFs can not be listed by net-dumpxml directly after starting the hostdev network guest fail to start with permission denied error when with gluster volume virsh attach-interface/detach-interface mishandles inactive configuration on device hot(un)plug commands live snapshot merge (commit) of the active layer Fail to update floor attribute of QoS using updateDeviceFlags Fail to restore guest from the save file while set the static selinux lable for the guest and set the relabel='no' in the guest's xml Implement for libvirt guest's xml for security label Mem leak while start a guest with a character followed block commit/pull support for disks using libgfapi volumes cpu-stats boundary value problem Libvirt report incorrect error message when parsing invalid value of CTRL_IP_LEARNING in nwfilter "pool-list --type gluster" list other types pool Libvirt report incorrect message when starting domain with nwfilter whose chain priority is greater than its filter rule priority vol-upload should change the volume target format type after uploading a different format file to it Incorrect error message when hot-plugging interface with an inexistence nwfilter [libvirt] can create live snapshot of passthrough device (iSCSI LUN or block device) gluster option is not showed in virsh --version=long Failed to get the vol-name by giving volume path in gluster pool. Libvirt does not terminate when DHCP snooping is being used [RFE] allow setting video ram size (vgamem_mb) for qemu vga cards. libvirt: Multi-node NUMA policy assignment Expose huge pages information through libvirt API Expose host hardware support for I/O virtualization via libvirt API Expose interface speed and link information via API Expose PCIe BW and lane information through API Enable complex memory requirements for virtual machines It shouldn't be permitted to change the uuid of a nwfilter Python setInterfaceParameters function is broken use of tls with libvirt.so can leave zombie processes The guest will be destroyed abnormally while revert the guest's snapshot which took in "pmsuspended" status libvirt can not do vol-download for gluster pool volume [Snapshot Doc] In snapshot-create-as manual page, supported snapshot type should be no, internal and external Dropped guest network connection during migration (before it finished) Fail to start guest with 2 displays mixed with port allocated automatically and fixed port. the return value of API virNodeDevice.listCaps() is not correct RHEL7 libvirt vs older qemu: unable to execute QEMU command 'qom-get': The command qom-get has not been found The sg disk is not really shared within 2 guests The --memspec parameters "snapshot=no" doesn't work when creating internal disk snapshot [doc] Document behavior of --reuse-external (VIR_DOMAIN_SNAPSHOT_CREATE_REUSE_EXT) virsh numatune should forbid to accept int as parameter values [Stroage][vol-clone] Volume was cloned successfully when passing an non-existing pool Improve the error message when failed to restore a guest with a not availabe disk with startupPolicy='optional' Don't allow aio=native without cache=none [Storage][vol-download] virsh cmd vol-download works with option offset and length by passing a negative integer [storage] some volume related virsh commands work when the passed volume is not one volume of the passed pool Libvirt should clean up socket file on destroyed domain with UNIX character device nwfilter deadlock Fail to do external disk-only snapshot when guest use FC storage The error is inaccurate when create snapshot with memspec snapshot=external and diskspec snapshot=no volume is disappered after vol-wipe with logical type pool Improve the error message when blockpull with a wrong base path [RHEL7] Virsh cmd maxvcpus returns 255 for kvm type, but the maximum number of vcpus supported by kvm is 160. RFE: report NUMA node locality for PCI devices [RHEL7][Storage]The "lazy_refcounts" feature was missing in the xml printed by vol-dumpxml for a qcow3 disk in a native gluster pool SELinux prevent qemu from attaching tuntap queues Don't fail starting domain without cpu, cpuset and cpuacct cgroups controllers guest will be paused and can't resume when do external system checkpoint snapshot with wrong compression format libvirt loses track of hotplugged vcpus after daemon restart libvirt-python API baselineCPU doesn't generate exception libvirt binds only to ipv6 Maintain relative path to backing file image during live merge (block-commit) blkiotune weight range should be (10, 1000) virsh vcpupin need accurate error message when --vcpu argument is negative no need to require iptables-ipv6 Rebase libvirt to current upstream release Libvirt should report error when try to revert guest to external system checkpoint snapshot virt-xml-validate should pass when netfs pool xml with glusterfs backend The running guest will disappear while change the security_driver from "none" to "selinux" libvirt reset rtc interrupt backlog after guest-set-time Guest fail to start while disks use same no-exist source file even though with startupPolicy='optional' Garbage characters show in the output of pool-name with no-exist pool UUID Fail to start guest while disable the default security labeling Libvirtd will crash while start a guest which DAC's seclabel type='none' in guest's xml domblkinfo doesn't work when guest use glusterfs as source The error info is not correct when do blockcommit with --base and --top point to same source typo errors in man page VIRSH(1) capabilities mode hostdev shouldn't be added in KVM libvirt should prompt more readable error message while ide/sata bus disk do not support readonly [RFE] add API to query the stats of multiple VMs at once python bindings for graphics event have wrong value for address type libvirt failed to start a domain with unix+guestfwd channel The guest will disappear after restart the libvirtd service while set seclabel type='static' model='none' relabel='yes'/> in guest's xml. domxml-to-native fails for spice graphics with autoport='yes' when spice_tls is disabled [RFE] Add events for cputune and iotune change The error info is not accurate when do vol-wipe with volume based on gluster pool RFE: Multiple virtio-rng devices support Generate the redundant record in guest's xml while configure the same listen address in guest's xm The default behavor of abort block job with pivot flag isn't sync libvirt will report error after use pool-build in Non-root mode(qemu:///session) QMP: extend block events with error information numatune can use nodeset 0,^0 but can't edit xml like this virsh command takes long time to finish after set "log_level = 1" only 'virsh desc $dom blah' doesn't survive libvirtd restart libvirt should refuse to start domain with unsupported/useless min-guarantee element in qemu driver missing pci address for vga devices Libvirt should forbid using relative path to the new overaly snapshot image for external snapshots [Doc] Attribute name vlan-id should be vlanid in nwfilter xml docs Wrong block job type reported for active layer commit [libvirt] expose ivshmem Can't use domiftune --inbound 0 or --outbound 0 to clear inbound or outbound settings for a shut off guest <driver/> isn't always formated as it should be libvirtd will crash after do managedsave the same guest in the same time Failed to start domain with specified cputune after decreasing vcpu number numatune --mode can't work well Possible deadlock when the domain is destroyed on destination during migration [Doc]no manual about metadata command in virsh manual number range should be checked for the 4 new options of blkiotune Could not show process info for migration at once. blkdeviotune should can be used in session mode The iotune element will disappear from the guest's xml while set an invalid value Libvirtd crash while set blkdeviotune with the hotplug disk and specify the --config option The range for blkdeviotune was different in guest's xml and virsh command line virDomainSetMemoryFlags doesn't process flag VIR_DOMAIN_MEM_MAXIMUM for LXC Error msg is not right for option -k and -K against virsh command option -k and -K should point out range of reasonable values against virsh command Libvirt crash after defining/editing macvtap network pool with <address> elements snapshot's race condition pkg-config --libs contains cflags blockcopy job was cancel by "CTRL+C" while it show there still be one block job in background active commit will be cancelled by another commit Honor hugepage settings on UMA guest libvirt should pass "-enable-fips" to QEMU The usage for migrate's option --auto-converge missed in virsh man page Failed to remove libvirt-daemon-1.2.8-1.el7.x86_64 package Fail to managedsave while configure <cpu mode='host-model'> in the guest's xml Report better error when backing chain detection fails one of guest will be shut off when restart libvirtd while disable the default security labeling guest NUMA cannot start when automatic NUMA placement virsh cmd will hang when remove blockcopy file guest interface which use existing bridge source bridge will disappear after libvirtd restart Libvirt should post more accurate error when do blockpull with qemu-kvm sub-element in <disk>...</disk> change after create external disk snapshot Back port selected upstream Coverity resolutions since 1.2.8 libvirtd will crashed after hot-plug a virtual NIC to a guest which use qemu-attach connect to libvirtd wrong QMP argument 'id' when detaching iscsi hostdev libvirtd crash when defining scsi storage pool libvirt should report error when failed to use domtime to set a guest time [RFE] Add a qemu resume hook that is able to preprocess the domain XML libvirtd dead while destroy one guest with block disk Deadlock on nwfilter when taking same concurrent jobs libvirtd crashed after running "virsh metadata --remove" command memory leak when starting a domain with cpu mode='host-model' libvirtd crashed after use qemu-monitor-event --regex to a running guest wrong backingStore info after blockpull and destroy/start guest freepages argument has wrong unit and range API virNodeGetFreePages need report specific error when node out of range Updating blkdeviotune for live domain doesn't survive restarting the libvirtd USB Redirection no longer works: Permission Denied Libvirtd crash when defining scsi pool with 'scsi_host' type adapter and parentaddr attribute [migration] Tunnelled migration failed libvirtd crashes when starting a domain with 0 cpu shares save/managedsave doesn't work with host-passthrough libvirt should recognize __com.redhat_change-backing-file for relative path preservation Domain is out of control from libvirt when running some concurrent define/undefine/start/destroy jobs rapidly Permission denied when create external snapshot for guest whose source file based on nfs libvirtd loses track of a running restored guest with host-passthrough cpu [NPIV] The volume in scsi pool appears only after refreshing pool An LXC domain without console dies soon after start forbid NIC offloads change on the fly using update-device libvirt can not save mode='client' of vhostuser interface to domain xml libvirtd crashed on disk snapshot with rdma glusterfs image network using host bridge gets a MAC on libvirt update A memory error report when use domstats lxc domain startup is slow repeated migration with NBD fails domfsfreeze and domfsthaw cannot work well when guest restart libvirt doesn't stop the NBD server after migration Libvirt should check if the parent defined in xml matches the wwn of vHBA when starting pool Destroying 'fc_host' pool the HBA is NOT destroyed when not using 'parent' attribute libvirtd crashes after device hot-unplug crashes qemu small memory leak in migration [ACL] polkit: wrong attribute name 'interface_mac' for network interface in the documentation kvm_init_vcpu failed for cpu hot-plugging in NUMA crash after attempted spice channel hotplug libvirtd occasionally crashes at the end of migration net-event should not report unsuccessful event external disk snapshot with fault glusterfs snapshot xml crash libvirtd use after free in callers of virNetDevLinkDump No way to turn off rdma-pin-all once it was turned on VM with a storage volume that contains a RBD volume in the backing chain fails to start Failed to create logical volume with specified xml networkMigrateStateFiles function does not work on xfs file system due to using unsupported t_type field Report job type in virDomainGetJobInfo "libvirtError: Unable to write to '/sys/fs/cgroup/cpuset/machine.slice/machine-qemu\x2dinstance\x2d00000002.scope/cpuset.mems': Device or resource busy" Libvirt will crash with segfault if you try to set non-existing nwfilter to network interface for live guest guest can not start when setting " vcpu placement='auto' " libvirtd crash when try to cold plug a network iscsi hostdev which guest already have a iscsi hostdev extra space will be added to xml when update a network missing support for -spice disable-agent-file-xfer qemu commandline option virDomainGetSchedulerParameters() fails with Unable to read from '/sys/fs/cgroup/cpu,cpuacct/machine.slice/machine-qemu\x2dMic2.scope/cpu.shares': No such file or directory memdev= option is not supported on rhel6 machine-types Attach a usb disk to guest failed. Unable to start guest with hugepages and strict numa pinning CVE-2014-8136 libvirt: local denial of service in qemu/qemu_driver.c Fail to Migrate with Bridged network, eth + macvtap ,with different interface name on two hosts Memory leak when parsing invalid network XML migration rhel7.1 -> rhel7.0 wont work if you set "ram" < 2*"vgamem" for QXL device update default vgamem size from 8 MiB to 16 MiB libvirtError: argument unsupported: QEMU driver does not support <metadata> element Libvirtd crash while hotplug the guest agent without target type for many times cpu features are not formatted in XML for host-model libvirtd crashed when updating a IPv6 <host> and a IPv4 <host> into a IPv4 <ip> element CVE-2015-0236 libvirt: missing ACL check for the VIR_DOMAIN_XML_SECURE flag in save images and snapshots objects cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0325: httpd security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581) This update also fixes the following bugs: * Previously, the mod_proxy_fcgi Apache module always kept the back-end connections open even when they should have been closed. As a consequence, the number of open file descriptors was increasing over the time. With this update, mod_proxy_fcgi has been fixed to check the state of the back-end connections, and it closes the idle back-end connections as expected. (BZ#1168050) * An integer overflow occurred in the ab utility when a large request count was used. Consequently, ab terminated unexpectedly with a segmentation fault while printing statistics after the benchmark. This bug has been fixed, and ab no longer crashes in this scenario. (BZ#1092420) * Previously, when httpd was running in the foreground and the user pressed Ctrl+C to interrupt the httpd processes, a race condition in signal handling occurred. The SIGINT signal was sent to all children followed by SIGTERM from the main process, which interrupted the SIGINT handler. Consequently, the affected processes became unresponsive or terminated unexpectedly. With this update, the SIGINT signals in the child processes are ignored, and httpd no longer hangs or crashes in this scenario. (BZ#1131006) In addition, this update adds the following enhancements: * With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081) * This update adds support for using the SetHandler directive together with the mod_proxy module. As a result, it is possible to configure SetHandler to use proxy for incoming requests, for example, in the following format: SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290) * The htaccess API changes introduced in httpd 2.4.7 have been backported to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for the MPM-ITK module to be compiled as an httpd module. (BZ#1059143) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically. Low Copyright 2015 Red Hat, Inc. CVE-2013-5704 CVE-2014-3581 Feature request: update httpd to 2.4.7 / backport htaccess API changes mod_rewrite doesn't expose client_addr mod_ssl uses small DHE parameters for non standard RSA keys mod_ssl selects correct DHE parameters for keys only up to 4096 bit httpd uses hardcoded curve for ECDHE suites CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests RFE: set vstring dynamically Error in `/usr/sbin/httpd': free(): invalid pointer authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost . SetHandler to proxy support CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0327: glibc security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application. (CVE-2014-6040) It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service. (CVE-2014-8121) This update also fixes the following bugs: * Due to problems with buffer extension and reallocation, the nscd daemon terminated unexpectedly with a segmentation fault when processing long netgroup entries. With this update, the handling of long netgroup entries has been corrected and nscd no longer crashes in the described scenario. (BZ#1138520) * If a file opened in append mode was truncated with the ftruncate() function, a subsequent ftell() call could incorrectly modify the file offset. This update ensures that ftell() modifies the stream state only when it is in append mode and the buffer for the stream is not empty. (BZ#1156331) * A defect in the C library headers caused builds with older compilers to generate incorrect code for the btowc() function in the older compatibility C++ standard library. Applications calling btowc() in the compatibility C++ standard library became unresponsive. With this update, the C library headers have been corrected, and the compatibility C++ standard library shipped with Red Hat Enterprise Linux has been rebuilt. Applications that rely on the compatibility C++ standard library no longer hang when calling btowc(). (BZ#1120490) * Previously, when using netgroups and the nscd daemon was set up to cache netgroup information, the sudo utility denied access to valid users. The bug in nscd has been fixed, and sudo now works in netgroups as expected. (BZ#1080766) Users of glibc are advised to upgrade to these updated packages, which fix these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-6040 CVE-2014-8121 Fix memory fencing error in unwind-forcedunwind.c getconf PATH returns non-directory "/bin" CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) nscd segfaults when running sudo with netgroup caching enabled. CVE-2014-8121 glibc: Unexpected closing of nss_files databases after lookups causes denial of service cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0330: pcre security and enhancement update (Low) Red Hat Enterprise Linux 7 PCRE is a Perl-compatible regular expression library. A flaw was found in the way PCRE handled certain malformed regular expressions. This issue could cause an application (for example, Konqueror) linked against PCRE to crash while parsing malicious regular expressions. (CVE-2014-8964) This update also adds the following enhancement: * Support for the little-endian variant of IBM Power Systems has been added to the pcre packages. (BZ#1123498, BZ#1125642) All pcre users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue and add this enhancement. Low Copyright 2015 Red Hat, Inc. CVE-2014-8964 CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0349: qemu-kvm security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. Bug fixes: * The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Red Hat Enterprise Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. (BZ#1098976) * Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the "write same" command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the "write same" command now functions in guest mode under iSCSI as intended. (BZ#1083413) * The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. (BZ#1066338) Enhancements: * The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. (BZ#1134408) * Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117) * The "dump-guest-memory" command now supports crash dump compression. This makes it possible for users who cannot use the "virsh dump" command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one. (BZ#1157798) * This update introduces support for flight recorder tracing, which uses SystemTap to automatically capture qemu-kvm data while the guest machine is running. For detailed instructions on how to configure and use flight recorder tracing, see the Virtualization Deployment and Administration Guide, linked to in the References section below. (BZ#1088112) Important Copyright 2015 Red Hat, Inc. CVE-2014-3640 CVE-2014-7815 CVE-2014-7840 CVE-2014-8106 qemu-kvm core dump when guest do S3/S4 with max(232) virtio block devices (multifunction=on) passthrough USB speaker to win2012 guest fail to work well flood with 'xhci: wrote doorbell while xHC stopped or paused' when redirected USB Webcam from usb-host with xHCI controller xhci: FIXME: endpoint stopped w/ xfers running, data might be lost qemu-kvm failing when invalid machine type is provided vlan and queues options cause core dumped when qemu-kvm process quit(or ctrl+c) qemu should give a more friendly prompt when didn't specify read-only for VMDK format disk qemu-img convert rate about 100k/second from qcow2/raw to vmdk format on nfs system file Gluster etc. should not be a dependency of vscclient and libcacard the error message "scsi generic interface too old" is wrong more often than not BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda' fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host Format specific information (create type) was wrong when create it specified subformat='streamOptimized' Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again qemu-img creates truncated VMDK image with subformat=twoGbMaxExtentFlat fail to passthrough the USB speaker redirected from usb-redir with xhci controller fail to be recognized the hotpluging usb-storage device with xhci controller in win2012R2 guest PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi) qemu crash when reboot win7 guest with spice display [qxl] The guest show black screen while resumed guest which managedsaved in pmsuspended status. qemu-kvm core dump when hot-plug virtio-blk-pci device with gluster backend Reduce the migrate cache size during migration causes qemu segment fault qemu core dump when install a RHEL.7 guest(xhci) with migration qemu-kvm can not give any warning hint when set sndbuf with negative value migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics qemu-kvm core dumped when hotplug/unhotplug USB3.0 device multi times qemu-kvm does not quit when booting guest w/ 161 vcpus and "-no-kvm" [WHQL][balloon][virtio-rng]ob named DPWLK-HotADD-Device Test- Verify dirver support for Hot-Add CPU made win2k8-R2 BSOD (0x7E) qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400) Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device migrate_cancel wont take effect on previouly wrong migrate -d cmd src qemu crashed when starting migration in inmigrate mode qemu crash when device_del usb-redir qemu-img coredumpd when try to create a gluster format image QEMU fail to check whether duplicate ID for block device drive using 'blockdev-add' to hotplug there are four "gluster" in qemu-img supported format list hot-plug a virtio-scsi disk via 'blockdev-add' always cause QEMU quit QEMU will not reject invalid number of queues (num_queues = 0) specified for virtio-scsi there are three "nbd" in qemu-img supported format list Hot plug CPU not working with RHEL6 machine types running on RHEL7 host. vectors of virtio-scsi-pci will be 0 when set vectors>=129 QEMU core dumped when boot up two scsi-hd disk on the same virtio-scsi-pci controller in Intel host [RFE] qemu-img: Add/improve Disk2VHD tools creating VHDX images qemu ' KVM internal error. Suberror: 1' when query cpu frequently during pxe boot in Intel "Q95xx" host RFE: Supporting creating vmdk/vdi/vpc format disk with protocols (glusterfs) 48% reduction in IO performance for KVM guest, io=native rdma migration: seg if destination isn't listening Guest crash when hotplug usb while disable virt_use_usb Migration failed with virtio-blk from RHEL6.5.0 host to RHEL7.0 host Backport qemu_bh_schedule() race condition fix Return value of virtio_load not checked in virtio_rng_load VMstate static checker: backport -dump-vmstate feature to export json-encoded vmstate info Pass close from qemu-ga qemu-kvm crashed when doing iofuzz testing After migration of RHEL7.1 guest with "-vga qxl", GUI console is hang fail to specify wwn for virtual IDE CD-ROM Opening malformed VMDK description file should fail QEMU fails to correctly read/write on VMDK with big flat extent Opening an obviously truncated VMDK image should fail qemu-img convert from ISO to streamOptimized fails fail to login spice session with password + expire time Allow qemu-img to bypass the host cache (check, compare, convert, rebase, amend) Should replace "qemu-system-i386" by "/usr/libexec/qemu-kvm" in manpage of qemu-kvm for our official qemu-kvm build Enable native qemu support for Ceph Qemu crashed if reboot guest after hot remove AC97 sound device guest is stuck when setting balloon memory with large guest-stats-polling-interval CVE-2014-3640 qemu: slirp: NULL pointer deref in sosendto() qemu-kvm: undefined symbol: glfs_discard_async CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization qemu-img convert intermittently corrupts output images invalid QEMU NOTEs in vmcore that is dumped for multi-VCPU guests CVE-2014-7840 qemu: insufficient parameter validation during ram load CVE-2014-8106 qemu: cirrus: insufficient blit region checks Delete cow block driver qemu core dumped when unhotplug gpu card assigned to guest cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0377: libreoffice security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. It was found that LibreOffice documents executed macros unconditionally, without user approval, when these documents were opened using LibreOffice. An attacker could use this flaw to execute arbitrary code as the user running LibreOffice by embedding malicious VBA scripts in the document as macros. (CVE-2014-0247) A flaw was found in the OLE (Object Linking and Embedding) generation in LibreOffice. An attacker could use this flaw to embed malicious OLE code in a LibreOffice document, allowing for arbitrary code execution. (CVE-2014-3575) A use-after-free flaw was found in the "Remote Control" capabilities of the LibreOffice Impress application. An attacker could use this flaw to remotely execute code with the permissions of the user running LibreOffice Impress. (CVE-2014-3693) The libreoffice packages have been upgraded to upstream version 4.2.6.3, which provides a number of bug fixes and enhancements over the previous version. Among others: * Improved OpenXML interoperability. * Additional statistic functions in Calc (for interoperability with Excel and Excel's Add-in "Analysis ToolPak"). * Various performance improvements in Calc. * Apple Keynote and Abiword import. * Improved MathML export. * New Start screen with thumbnails of recently opened documents. * Visual clue in Slide Sorter when a slide has a transition or an animation. * Improvements for trend lines in charts. * Support for BCP-47 language tags. (BZ#1119709) All libreoffice users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-0247 CVE-2014-3575 CVE-2014-3693 [fix available] Usability - libreoffice does not search XDG defined "Templates" directory [fix available] Highlighting the currently selected slide vs the currently viewed slide is hard in impress CVE-2014-0247 libreoffice: VBA macros executed unconditionally [fix available] LibreOffice Calc: PDF export of an empty document fails with Write Error [fix available] impress killed by SIGABRT on paste into outline view at a position where the slide has no title object Rebase to latest stable LibreOffice 4.2.X in RHEL-7.1 rebase libcmis to 0.4.1 rebase mdds to 0.10.3 rebase libmwaw to 0.2.0 rebase libodfgen to 0.0.4 rebase liblangtag to 0.5.4 CVE-2014-3575 openoffice: Arbitrary file disclosure via crafted OLE objects CVE-2014-3693 libreoffice: Use-After-Free in socket manager of Impress Remote cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0383: ppc64-diag security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The ppc64-diag packages provide diagnostic tools for Linux on the 64-bit PowerPC platforms. The platform diagnostics write events reported by the firmware to the service log, provide automated responses to urgent events, and notify system administrators or connected service frameworks about the reported events. Multiple insecure temporary file use flaws were found in the way the ppc64-diag utility created certain temporary files. A local attacker could possibly use either of these flaws to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running ppc64-diag, or obtain sensitive information from the temporary files. (CVE-2014-4038, CVE-2014-4039) The ppc64-diag packages have been upgraded to upstream version 2.6.7, which provides a number of bug fixes and enhancements over the previous version including support for hot plugging of QEMU PCI devices. (BZ#1088493, BZ#1084062) This update also fixes the following bugs: * Prior to this update, the rtas_errd daemon was not started by default on system boot. With this update, rtas_errd has been modified to start automatically by default. (BZ#1170146) * Previously, the /var/log/dump file was not automatically created when installing the ppc64-diag package. This bug has been fixed, and /var/log/dump is now created at package install time as expected. (BZ#1175808) In addition, this update adds the following enhancement: * This update adds support for building the ppc64-diag packages on the little-endian variant of IBM Power Systems platform architecture. (BZ#1124007) Users of ppc64-diag are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-4038 CVE-2014-4039 CVE-2014-4038 CVE-2014-4039 ppc64-diag: multiple temporary file races cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0384: powerpc-utils security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The powerpc-utils packages provide various utilities for the PowerPC platform. A flaw was found in the way the snap utility of powerpc-utils generated an archive containing a configuration snapshot of a service. A local attacker could obtain sensitive information from the generated archive such as plain text passwords. (CVE-2014-4040) The powerpc-utils packages have been upgraded to the upstream version 1.2.24, which provides a number of bug fixes and enhancements over the previous version. (BZ#1088539, BZ#1167865, BZ#1161552) This update also fixes the following bugs: * Previously, the lsdevinfo command did not correctly process the path to the device, which made the path unreadable in the console output of lsdevinfo. With this update, lsdevinfo has been updated and the path is now displayed correctly. (BZ#1079246) * Previously, after migrating several Linux partitions, Resource Monitoring and Control (RMC) was inactive and Machine Type, Model, and Serial number (MTMS) were set incorrectly, so the subsequent validation operation failed. This bug has been fixed, and validation is now successful after migration and suspend. (BZ#1083221) * Previously, when the drmgr tool attempted to remove the last CPU from the system, drmgr became unresponsive or terminated unexpectedly. This bug has been fixed, and drmgr no longer hangs or crashes in the described case. (BZ#1152313) * With this update, the drmgr utility has been fixed to correctly gather Logical Memory Block (LMB) information while performing Mem Dynamic Logical Partitioning (DLPAR) on little-endian varian of IBM Power Systems CPU architecture as expected (BZ#1170856). * Previously, the "ppc64_cpu --threads-per-core" command returned incorrect data with the --smt option enabled. This bug has been fixed and "ppc64_cpu --threads-per-core" now reports correctly with enabled --smt. (BZ#1179263) In addition, this update adds the following enhancements: * This update adds support for the Red Hat Enterprise Linux for POWER, little endian CPU architecture to the powerpc-utils package. (BZ#1124006) * This update adds support for hot plugging of the qemu virtio device with the drmgr command to the powerpc-utils package.(BZ#1083791) * The deprecated snap tool has been removed from the powerpc-utils packages. Its functionality has been integrated into the sosreport tool. (BZ#1172087) * With this update, a dependency on the perl-Data-Dumper package required by the rtas_dump utility has been added to powerpc-utils packages. (BZ#1175812) Users of powerpc-utils are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Low Copyright 2015 Red Hat, Inc. CVE-2014-4040 CVE-2014-4040 powerpc-utils: snap creates archives with fstab and yaboot.conf which may expose certain passwords cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0416: 389-ds-base security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords. (CVE-2014-8105) It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112) The CVE-2014-8105 issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team, and the CVE-2014-8112 issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team. Enhancements: * Added new WinSync configuration parameters: winSyncSubtreePair for synchronizing multiple subtrees, as well as winSyncWindowsFilter and winSyncDirectoryFilter for synchronizing restricted sets by filters. (BZ#746646) * It is now possible to stop, start, or configure plug-ins without the need to restart the server for the change to take effect. (BZ#994690) * Access control related to the MODDN and MODRDN operations has been updated: the source and destination targets can be specified in the same access control instruction. (BZ#1118014) * The nsDS5ReplicaBindDNGroup attribute for using a group distinguished name in binding to replicas has been added. (BZ#1052754) * WinSync now supports range retrieval. If more than the MaxValRange number of attribute values exist per attribute, WinSync synchronizes all the attributes to the directory server using the range retrieval. (BZ#1044149) * Support for the RFC 4527 Read Entry Controls and RFC 4533 Content Synchronization Operation LDAP standards has been added. (BZ#1044139, BZ#1044159) * The Referential Integrity (referint) plug-in can now use an alternate configuration area. The PlugInArg plug-in configuration now uses unique configuration attributes. Configuration changes no longer require a server restart. (BZ#1044203) * The logconv.pl log analysis tool now supports gzip, bzip2, and xz compressed files and also TAR archives and compressed TAR archives of these files. (BZ#1044188) * Only the Directory Manager could add encoded passwords or force users to change their password after a reset. Users defined in the passwordAdminDN attribute can now also do this. (BZ#1118007) * The "nsslapd-memberofScope" configuration parameter has been added to the MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group out of scope with a MODRDN operation failed. Moving a member entry out of scope now correctly removes the memberof value. (BZ#1044170) * The alwaysRecordLoginAttr attribute has been addded to the Account Policy plug-in configuration entry, which allows to distinguish between an attribute for checking the activity of an account and an attribute to be updated at successful login. (BZ#1060032) * A root DSE search, using the ldapsearch command with the '-s base -b ""' options, returns only the user attributes instead of the operational attributes. The "nsslapd-return-default" option has been added for backward compatibility. (BZ#1118021) * The configuration of the MemberOf plug-in can be stored in a suffix mapped to a back-end database, which allows MemberOf configuration to be replicated. (BZ#1044205) * Added support for the SSL versions from the range supported by the NSS library available on the system. Due to the POODLE vulnerability, SSLv3 is disabled by default even if NSS supports it. (BZ#1044191) Important Copyright 2015 Red Hat, Inc. CVE-2014-8105 CVE-2014-8112 nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts. Possible to add invalid ACI value Possible to add nonexistent target to ACI if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message. Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync Self entry access ACI not working properly Non-directory manager can change the individual userPassword's storage scheme Some attributes in cn=config should not be multivalued [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart errorlog-level 16384 is listed as 0 in cn=config Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error setup-ds.pl doesn't lookup the "root" group correctly start dirsrv after ntpd Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry add dbmon.sh Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result [RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default [RFE] make connection buffer size adjustable [RFE] posix winsync should support ADD user/group entries from DS to AD mep_pre_op: Unable to fetch origin entry [RFE] Support RFC 4527 Read Entry Controls Allow search to look up 'in memory RUV' MMR stress test with dna enabled causes a deadlock winsync doesn't sync DN valued attributes if DS DN value doesn't exist modrdn + NSMMReplicationPlugin - Consumer failed to replay change resurrected entry is not correctly indexed Add a warning message when a connection hits the max number of threads 7-bit check plugin does not work for userpassword attribute The backend name provided to bak2db is not validated [RFE] Winsync should support range retrieval 7-bit checking is not necessary for userPassword With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised. mods optimizer multi master replication allows schema violation DS crashes with some 7-bit check plugin configurations Some updates of "passwordgraceusertime" are useless when updating "userpassword" [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533 remove-ds.pl should remove /var/lock/dirsrv enhance retro changelog updates to ruv entry are written to retro changelog Password administrators should be able to violate password policy Schema replication between DS versions may overwrite newer base schema [RFE] ACIs do not allow attribute subtypes in targetattr keyword [RFE] Allow memberOf suffixes to be configurable [RFE] Allow referential integrity suffixes to be configurable Plugin library path validation prevents intentional loading of out-of-tree modules [RFE] make referential integrity configuration more flexible allow configuring changelog trim interval objectclass may, must lists skip rest of objectclass once first is found in sup memberOf on a user is converted to lowercase report unindexed internal searches With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added dbscan on entryrdn should show all matching values [RFE] logconv.pl - add on option for a minimum etime for unindexed search stats [RFE] Recognize compressed log files [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS default nsslapd-sasl-max-buffer-size should be 2MB Complex filter in a search request doen't work as expected. Automember plug-in should treat MODRDN operations as ADD operations Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset db2bak.pl issue when specifying non-default directory [RFE] Allow referint plugin to use an alternate config area [RFE] Allow memberOf to use an alternate config area idl switch does not work [RFE] make old-idl tunable IDL-style can become mismatched during partial restoration backend performance - introduce optimization levels using transaction batchval violates durability examine replication code to reduce amount of stored state information 7-bit check plugin not checking MODRDN operation Windows Sync group issues Page control does not work if effective rights control is specified [RFE] Allow nsDS5ReplicaBindDN to be a group DN logconv errors when search has invalid bind dn betxn: retro changelog broken after cancelled transaction single valued attribute replicated ADD does not work Size returned by slapi_entry_size is not accurate Replication retry time attributes cannot be added Missing warning for invalid replica backoff configuration Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53 Under heavy stress, failure of turning a tombstone into glue makes the server hung Part of DNA shared configuration is deleted after server restart Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf Memory leak with proxy auth control Simultaneous adding a user and binding as the user could fail in the password policy check Creating a glue fails if one above level is a conflict or missing attribute uniqueness plugin fails when set as a chaining component empty modify returns LDAP_INVALID_DN_SYNTAX mem leak in do_bind when there is an error mem leak in do_search - rawbase not freed upon certain errors Performing deletes during tombstone purging results in operation errors #481 breaks possibility to reassemble memberuid list A replicated MOD fails (Unwilling to perform) if it targets a tombstone nsslapd-ndn-cache-max-size accepts any invalid value. Negative value of nsSaslMapPriority is not reset to lowest priority Problem with deletion while replicated db2bak.pl error with changelogdb Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator. Rebase 389-ds-base to 1.3.3 find a way to remove replication plugin errors messages "changelog iteration code returned a dummy entry with csn %s, skipping ..." managed entry plugin fails to update managed entry pointer on modrdn operation Logconv.pl with an empty access log gives lots of errors logconv.pl memory continually grows rsearch filter error on any search filter [RFE] CLI report to monitor replication rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ? single valued attribute replicated ADD does not work 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled. Parent numsubordinate count can be incorrectly updated if an error occurs Nested tombstones become orphaned after purge Tombstone purging can crash the server if the backend is stopped/disabled Coverity issue in 1.3.3 valgrind - value mem leaks, uninit mem usage provide default syntax plugin Environment variables are not passed when DS is started via service Updating winsync one-way sync does not affect the behaviour dynamically Broken dereference control with the FreeIPA 4.0 ACIs server restart wipes out index config if there is a default index attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro Server deadlock if online import started while server is under load paged results control is not working in some cases when we have a subsuffix. harden the list of ciphers available by default Fix various typos in manpages & code Fix hyphens used as minus signed and other manpage mistakes server crashes deleting a replication agreement [RFE] forcing passwordmustchange attribute by non-cn=directory manager [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords [RFE] Enhance ACIs to have more control over MODRDN operations [RFE] Don't return all attributes in rootdse without explicit request Schema Replication Issue Failed deletion of aci: no such attribute If be_txn plugin fails in ldbm_back_add, adding entry is double freed. Add switch to disable pre-hashed password checking Make ldbm_back_seq independently support transactions Add operations rejected by betxn plugins remain in cache online import crashes server if using verbose error logging [RFE] add fixup-memberuid.pl script winsync plugin modify is broken [RFE] memberof scope: allow to exclude subtrees 389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144 ds logs many "SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error" messages ds logs many "Operation error fetching Null DN" messages Improve import logging and abort handling Multi master replication initialization incomplete after restore of one master Don't add unhashed password mod if we don't have an unhashed value Investigate betxn plugins to ensure they return the correct error code The error result text message should be obtained just prior to sending result coverity defects found in 1.3.3.x Broken dereference control with the FreeIPA 4.0 ACIs 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)." result of dna_dn_is_shared_config is incorrectly used Encoding of SearchResultEntry is missing tag ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails. dynamically added macro aci is not evaluated on the fly Disable SSL v3, by default. Crash in entry_add_present_values_wsi_multi_valued Directory Server crashes while trying to perform export task for automember plugin with dynamic plugin on. Should not check aci syntax when deleting an aci RHEL7.1 ns-slapd segfault when ipa-replica-install restarts dirsrv cookie_change_info returns random negative number if there was no change in a tree CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree cos_cache_build_definition_list does not stop during server shutdown COS memory leak when rebuilding the cache Account lockout attributes incorrectly updated after failed SASL Bind start dirsrv after chrony Bind DN tracking unable to write to internalModifiersName without special permissions Server crashes when memberOf plugin is partially configured CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off [RFE] BDB backend - clear free page files to reduce main db and changelog db size RHEL 7.1 ipa-server-4.1.0 upgrade fails User enable/disable does not sync with ipawinsyncacctdisable set to both IPA replica missing data after master upgraded cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0425: openssh security, bug fix and enhancement update (Moderate) Red Hat Enterprise Linux 7 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes: * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to "yes" by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to "no". (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448) * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173) Enhancements: * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198) * The sshd-keygen service was run using the "ExecStartPre=-/usr/sbin/sshd-keygen" option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-2653 CVE-2014-9278 ssh client showing Connection closed by UNKNOWN after timeout at password prompt Inconsistent error message when generating keys in FIPS mode CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios sftp / symlink does not create relative links ssh-keygen with error : gethostname: File name too long AuthorizedKeysCommand does not work under the Match section sshd.service shouldn't call /usr/sbin/sshd-keygen directly using ExecStartPre sshd fails to start in FIPS mode due to ED25519 key generation sshd requires that .k5login exists even if krb5_kuserok() returns TRUE KerberosUseKuserok default changed from "yes" to "no" sshd sets KRB5CCNAME environment variable with a truncated value fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0430: virt-who security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The virt-who package provides an agent that collects information about virtual guests present in the system and reports them to the subscription manager. It was discovered that the /etc/sysconfig/virt-who configuration file, which may contain hypervisor authentication credentials, was world-readable. A local user could use this flaw to obtain authentication credentials from this file. (CVE-2014-0189) Red Hat would like to thank Sal Castiglione for reporting this issue. The virt-who package has been upgraded to upstream version 0.11, which provides a number of bug fixes and enhancements over the previous version. The most notable bug fixes and enhancements include: * Support for remote libvirt. * A fix for using encrypted passwords. * Bug fixes and enhancements that increase the stability of virt-who. (BZ#1122489) This update also fixes the following bugs: * Prior to this update, the virt-who agent failed to read the list of virtual guests provided by the VDSM daemon. As a consequence, when in VDSM mode, the virt-who agent was not able to send updates about virtual guests to Subscription Asset Manager (SAM) and Red Hat Satellite. With this update, the agent reads the list of guests when in VDSM mode correctly and reports to SAM and Satellite as expected. (BZ#1153405) * Previously, virt-who used incorrect information when connecting to Red Hat Satellite 5. Consequently, virt-who could not connect to Red Hat Satellite 5 servers. The incorrect parameter has been corrected, and virt-who can now successfully connect to Red Hat Satellite 5. (BZ#1158859) * Prior to this update, virt-who did not decode the hexadecimal representation of a password before decrypting it. As a consequence, the decrypted password did not match the original password, and attempts to connect using the password failed. virt-who has been updated to decode the encrypted password and, as a result, virt-who now handles storing credentials using encrypted passwords as expected. (BZ#1161607) In addition, this update adds the following enhancement: * With this update, virt-who is able to read the list of guests from a remote libvirt hypervisor. (BZ#1127965) Users of virt-who are advised to upgrade to this updated package, which corrects these issues and adds these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-0189 Remove dependency on 'libvirt' RPM virt-who creat a null system in SAM server in esx mode Faild to add Hyper-V 2012 to SAM as virt-who communication with Hyper-V failed virt-who failed when testing against Satellite 5.6 due to missing folder /var/lib/virt-who in RHEL 7 CVE-2014-0189 virt-who: plaintext hypervisor passwords in world-readable /etc/sysconfig/virt-who configuration file virt-who dies when the system is being unregistered virt-who rebase [RFE] Please add libvirt parameter for using Red Hat Enterprise Linux for Virtual Datacenter in kvm environments. virt-who can't work in the VDSM mode Wrong permission for configuration file /etc/sysconfig/virt-who on rhel7.1 Can't display the running mode in the virt-who log virt-who uses wrong server when connecting to satellite "/etc/virt-who.d" hasn't been created by default. Take over one minute to stop/restart virt-who service in ESX mode. virt-who not able to decrypt encrypted password syslog.target depenancy Failed to send host/guest associate to SAM when virt-who run at esx mode [VDSM mode]Failed to send host/guest associate to SAM when there is a vm in the host virt-who incorrectly says that VM is from 'None' hypervisor cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0439: krb5 security, bug fix and enhancement update (Moderate) Red Hat Enterprise Linux 7 A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344) A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345) A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker with the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422) An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. (CVE-2014-9423) Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342) A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343) Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT Kerberos project acknowledges Nico Williams for helping with the analysis of CVE-2014-5352. The krb5 packages have been upgraded to upstream version 1.12, which provides a number of bug fixes and enhancements, including: * Added plug-in interfaces for principal-to-username mapping and verifying authorization to user accounts. * When communicating with a KDC over a connected TCP or HTTPS socket, the client gives the KDC more time to reply before it transmits the request to another server. (BZ#1049709, BZ#1127995) This update also fixes multiple bugs, for example: * The Kerberos client library did not recognize certain exit statuses that the resolver libraries could return when looking up the addresses of servers configured in the /etc/krb5.conf file or locating Kerberos servers using DNS service location. The library could treat non-fatal return codes as fatal errors. Now, the library interprets the specific return codes correctly. (BZ#1084068, BZ#1109102) In addition, this update adds various enhancements. Among others: * Added support for contacting KDCs and kpasswd servers through HTTPS proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919) Moderate Copyright 2015 Red Hat, Inc. CVE-2014-4341 CVE-2014-4342 CVE-2014-4343 CVE-2014-4344 CVE-2014-4345 CVE-2014-5352 CVE-2014-5353 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 ipv6 address handling in krb5.conf Please backport improved GSSAPI mech configuration Kerberos does not handle incorrect Active Directory DNS SRV entries correctly Backport https support into libkrb5 CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext ksu non-functional, gets invalid argument copying cred cache CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens CVE-2014-4343: use-after-free crash in SPNEGO CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001) libkadmclnt SONAME change (8 to 9) in krb5 1.12 update CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001) CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001) CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001) CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001) kinit loops on principals on unknown error cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0442: ipa security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Two cross-site scripting (XSS) flaws were found in jQuery, which impacted the Identity Management web administrative interface, and could allow an authenticated user to inject arbitrary HTML or web script into the interface. (CVE-2010-5312, CVE-2012-6662) Note: The IdM version provided by this update no longer uses jQuery. This update adds several enhancements that are described in more detail in the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References section, including: * Added the "ipa-cacert-manage" command, which renews the Certification Authority (CA) file. (BZ#886645) * Added the ID Views feature. (BZ#891984) * IdM now supports using one-time password (OTP) authentication and allows gradual migration from proprietary OTP solutions to the IdM OTP solution. (BZ#919228) * Added the "ipa-backup" and "ipa-restore" commands to allow manual backups. (BZ#951581) * Added a solution for regulating access permissions to specific sections of the IdM server. (BZ#976382) This update also fixes several bugs, including: * Previously, when IdM servers were configured to require the Transport Layer Security protocol version 1.1 (TLSv1.1) or later in the httpd server, the "ipa" command-line utility failed. With this update, running "ipa" works as expected with TLSv1.1 or later. (BZ#1156466) In addition, this update adds multiple enhancements, including: * The "ipa-getkeytab" utility can now optionally fetch existing keytabs from the KDC. Previously, retrieving an existing keytab was not supported, as the only option was to generate a new key. (BZ#1007367) * You can now create and manage a "." root zone on IdM servers. DNS queries sent to the IdM DNS server use this configured zone instead of the public zone. (BZ#1056202) * The IdM server web UI has been updated and is now based on the Patternfly framework, offering better responsiveness. (BZ#1108212) * A new user attribute now enables provisioning systems to add custom tags for user objects. The tags can be used for automember rules or for additional local interpretation. (BZ#1108229) * This update adds a new DNS zone type to ensure that forward and master zones are better separated. As a result, the IdM DNS interface complies with the forward zone semantics in BIND. (BZ#1114013) * This update adds a set of Apache modules that external applications can use to achieve tighter interaction with IdM beyond simple authentication. (BZ#1107555) * IdM supports configuring automember rules for automated assignment of users or hosts in respective groups according to their characteristics, such as the "userClass" or "departmentNumber" attributes. Previously, the rules could be applied only to new entries. This update allows applying the rules also to existing users or hosts. (BZ#1108226) * The extdom plug-in translates Security Identifiers (SIDs) of Active Directory (AD) users and groups to names and POSIX IDs. With this update, extdom returns the full member list for groups and the full list of group memberships for a user, the GECOS field, the home directory, as well as the login shell of a user. Also, an optional list of key-value pairs contains the SID of the requested object if the SID is available. (BZ#1030699) All ipa users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2010-5312 CVE-2012-6662 [RFE] Normal users should not be given privileges to view all sudorules and their details. [RFE] Allow filter and subtree to be added in same permission Rename DNS permissions to use mixed-case error indicates a different reason when ipa permission-mod fails to modify attrs Unable to update "remove automount keys" - it has filter and subtree specified [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI [RFE] ID Views: Support migration from the sync solution to the trust solution Unable to update permissions for "Add Automount Keys" fix UI CSS to support RH branding IPA Navigation links overlaped or unclickable Unknown binary attributes can cause migration to fail [RFE] ipa-client-install should configure sudo automatically [RFE] Backup & Restore mechanism [RFE] pac-type change must be effective immediately without kdc restart Localization not working even for languages that are localized [RFE] add option to ipa-client-install to configure automount ipa-client-install --uninstall starts nscd service "username" field in IPA webUI login page should be mandatory There is no version information on IPA WebUI [RFE] Support initgroups for unauthenticated AD users ipa-client: add root CA to trust anchors if not already available ipactl can not restart ipa services if current status is "stopped" [WebUI] Realm domain is not providing proper error message [WebUI] Retry and Cancel dialogs do not support 'confirmation by Enter' [WebUI] "OK" button is not focused on "Operations Error" dialog, once we opened "show details" [RFE] Support DNS root zone Missing checks during ipa idrange-add IPA: Unable to add host when ipv6 address already exits [WebUI] Maximum serial number search accepts negative inputs and lists wrong search results. running ipa-server-install --setup-dns results in a crash bogus time estimates shown for configuration of various component in replica installation [WebUI] select all checkbox remains selected after operation IPA server does not allow sudo host network filters ipa-client-install --uninstall crash on a freshly installed machine joined to IPA via reamd and anaconda When certmonger is still tracking cert in ipa, uninstall fails but error does not indicate this [RFE] RHEL7 support for ipa-admintools on other architectures Apache crashes when replica is restarted when installing [RFE] Provide a stack of apache modules for any applications to consume MOD command returns duplicate memberships cannot create dns zone when name has consecutive dash characters dnsrecord-* with absolute target gives error [RFE] Add EmployeeID in the Web UI and command name PTR record cannot be added from UI, if user added zone without last '.' Replica installation dies if /etc/resolv.conf is not writeable sshd should run at least once before ipa-client-install [WebUI] When adding a condition to an automember rule, expression field should be required The Synchronizing time with KDC... message looks strange between login and password prompts [RFE] Adopt Patternfly/RCUE open interface project for the Web UI Installers should explicitly specify auth mechanism when calling ldapmodify ipa-replica-install: DNS check is between "host already exists" message and exit Make Read replication agreements permission less more targeted Unexpected error when providing incorrect password to ipa-ldap-updater Broken Firefox configuration files in freeipa-client package SSH widget doesn't honor a lack of write right Replace ntpdate calls with ntpd ipadb.so could get tripped up by DAL changes to support keyless principals [RFE] Use automember for hosts after the host is added Add UI for the new user and host userClass attribute [RFE] Better integration with the external provisioning systems - users Should not display ports to open when password is incorrect during ipa-client-install. ipa-join usage instructions are incorrect [RFE] ipa migrate-ds should have an argument to specify cert to use for DS connection [RFE] ipa dnsrecord-add should allow internationalized names [WebUI] it is not clear which row a value belongs to xmlrpc system commands do not work Name is blank in error message for duplicate automember rule [RFE] Enhance input validation for filters in access control Rebase IPA to 4.1 Internal Error: `ipa sudorule-mod rule --order=` [RFE] Add support for SubjectAltNames (SAN) to IPA service certificates ipa-server-install break sshd Setting a sudo category to all doesn't check to see if rules already exist Let deny commands be added to sudo rule with cmdcatetory=ALL Sudo runasgroup entry not generated by the sudo compat tree [RFE] Separate master and forward DNS zones Description attribute should not be required [RFE] Allow unlocking user in Web UI ipa-client-install creates configuration file with deprecated values Failure when installing on dual stacked system with external ca Windows Server 2012 CA does not accept CSR generated by IdM External CA installation CA-less installation fails when the CA cert has an empty subject Update SSL ciphers configured in 389-ds-base ipa-ldap-upgrade should restore Directory Server settings when upgrade fails Registering one IPA server with the browser removes entries for another ipa trust-add cmd should be interactive Internal error received for blank password with --trust-secret Password migration is broken Renewal with no master CA Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type Disable unsupported ID range types DS returns limited RootDSE Add support for bounce_url to /ipa/ui/reset_password.html Do not store host certificate in shared NSS database /etc/pki/nssdb ipa-server-install searches CA under different hostname host-del command does not accept --continue ipa man page incorrectly indicates how to add users group-add doesn't accept gid parameter POODLE: force using safe ciphers (non-SSLv3) in IPA client and server Trust setting not restored for CA cert with ipa-restore command RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap Investigate & fix Coverity defects in IPA DS/KDC plugins Tests: host-del returns DatabaseError Upgrade 3.3.5 to 4.1 failed ipactl stop should stop dirsrv last Deadlock in schema compat plugin ipa-server-install fails when restarting named Renewing the CA signing certificate does not extend its validity period end error message which is not understandable when IDNA2003 characters are present in --zonemgr (--zonemgr=Têko@redhat.com) Traceback when adding zone with long name RHEL7.1 IPA server httpd avc denials after upgrade CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget ipa-otp-lasttoken loads all user's tokens on every mod/del RHEL7.1 ipa automatic CA cert renewal stuck in submitting state schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails Tracebacks with latest build for --zonemgr cli option RHEL7.1 ipa replica unable to replicate to rhel6 master [WebUI] Not able to unprovisioning service in IPA 4.1 Clean up debug log for trust-add Extend host-show to add the view attribute in set of default attributes RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible Winsync: Setup is broken due to incorrect import of certificate RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert krb5kdc crash in ldap_pvt_search webui: increase notification duration CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) Access is not rejected for disabled domain IPA certs fail to autorenew simultaneouly Data replication not working as expected after data restore from full backup No error message thrown on restore(full kind) on replica from full backup taken on master ipa-restore proceed even IPA not configured DNS zones are not migrated into forward zones if 4.0+ replica is added More validation required on ipa-restore's options IPA replica missing data after master upgraded When migrating warn user if compat is enabled IPA externally signed CA cert expiration warning missing from log ipa-replica-manage list does not list synced domain PassSync does not sync passwords due to missing ACIs ipa-upgradeconfig fails in CA-less installs ipa-replica-manage disconnect fails without password DUA profile not available anonymously idoverrideuser-add option --sshpubkey does not work ipa-restore crashes if replica is unreachable Wrong directories created on full restore Login ignores global OTP enablement Full set of objectclass not available post group detach. cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0535: GNOME Shell security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications. It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. This could allow an attacker with physical access to a system with a locked screen to crash the screen-locking application by creating a large amount of screenshots. (CVE-2014-7300) This update also fixes the following bugs: * The Timed Login feature, which automatically logs in a specified user after a specified period of time, stopped working after the first user of the GUI logged out. This has been fixed, and the specified user is always logged in if no one else logs in. (BZ#1043571) * If two monitors were arranged vertically with the secondary monitor above the primary monitor, it was impossible to move windows onto the secondary monitor. With this update, windows can be moved through the upper edge of the first monitor to the secondary monitor. (BZ#1075240) * If the Gnome Display Manager (GDM) user list was disabled and a user entered the user name, the password prompt did not appear. Instead, the user had to enter the user name one more time. The GDM code that contained this error has been fixed, and users can enter their user names and passwords as expected. (BZ#1109530) * Prior to this update, only a small area was available on the GDM login screen for a custom text banner. As a consequence, when a long banner was used, it did not fit into the area, and the person reading the banner had to use scrollbars to view the whole text. With this update, more space is used for the banner if necessary, which allows the user to read the message conveniently. (BZ#1110036) * When the Cancel button was pressed while an LDAP user name and password was being validated, the GDM code did not handle the situation correctly. As a consequence, GDM became unresponsive, and it was impossible to return to the login screen. The affected code has been fixed, and LDAP user validation can be canceled, allowing another user to log in instead. (BZ#1137041) * If the window focus mode in GNOME was set to "mouse" or "sloppy", navigating through areas of a pop-up menu displayed outside its parent window caused the window to lose its focus. Consequently, the menu was not usable. This has been fixed, and the window focus is kept in under this scenario. (BZ#1149585) * If user authentication is configured to require a smart card to log in, user names are obtained from the smart card. The authentication is then performed by entering the smart card PIN. Prior to this update, the login screen allowed a user name to be entered if no smart card was inserted, but due to a bug in the underlying code, the screen became unresponsive. If, on the other hand, a smart card was used for authentication, the user was logged in as soon as the authentication was complete. As a consequence, it was impossible to select a session other than GNOME Classic. Both of these problems have been fixed. Now, a smart card is required when this type of authentication is enabled, and any other installed session can be selected by the user. (BZ#1159385, BZ#1163474) In addition, this update adds the following enhancement: * Support for quad-buffer OpenGL stereo visuals has been added. As a result, OpenGL applications that use quad-buffer stereo can be run and properly displayed within the GNOME desktop when used with a video driver and hardware with the necessary capabilities. (BZ#861507, BZ#1108890, BZ#1108891, BZ#1108893) All GNOME Shell users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. Low Copyright 2015 Red Hat, Inc. CVE-2014-7300 Timed Login Failure Details -- Default Applications -- calendar workspaces thumbnails in overview too narrow with large number of workspaces Qt menu placement problem with gnome-shell and vertical monitors Workspace window placement is not persistent if monitors are switched GDM hangs when cancelling ldap user login CVE-2014-7300 gnome-shell: lockscreen bypass with printscreen key sloppy/mouse focus mode break with long pull-down menus [multi-head] Window is moved on its own to other screen CVE-2014-7300 gnome-shell: lockscreen bypass with printscreen key [rhel-7.1] Respect disable-save-to-disk lockdown setting GDM does not prompt for smartcard pam_pkcs11 with card_only breaks session selection cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0642: thunderbird security update (Important) Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827) An information leak flaw was found in the way Thunderbird implemented autocomplete forms. An attacker able to trick a user into specifying a local file in the form could use this flaw to access the contents of that file. (CVE-2015-0822) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Paul Bandha, Abhishek Arya, and Armin Razmdjou as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.5.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.5.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836 CVE-2015-0836 Mozilla: Miscellaneous memory safety hazards (rv:31.5) (MFSA 2015-11) CVE-2015-0831 Mozilla: Use-after-free in IndexedDB (MFSA 2015-16) CVE-2015-0827 Mozilla: Out-of-bounds read and write while rendering SVG content (MFSA 2015-19) CVE-2015-0822 Mozilla: Reading of local files through manipulation of form autocomplete (MFSA 2015-24) cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0672: bind security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions. (CVE-2015-1349) Red Hat would like to thank ISC for reporting this issue. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-1349 CVE-2015-1349 bind: issue in trust anchor management can cause named to crash cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0696: freetype security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2014-9673, CVE-2014-9674) Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. (CVE-2014-9657, CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9663, CVE-2014-9664, CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9675) All freetype users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9673 CVE-2014-9674 CVE-2014-9675 CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx() CVE-2014-9658 freetype: buffer over-read and integer underflow in tt_face_load_kern() CVE-2014-9660 freetype: missing ENDCHAR NULL pointer dereference in the _bdf_parse_glyphs() CVE-2014-9661 freetype: out of bounds read in Type42 font parser CVE-2014-9663 freetype: out-of-bounds read in tt_cmap4_validate() CVE-2014-9664 freetype: off-by-one buffer over-read in parse_charstrings() / t42_parse_charstrings() CVE-2014-9667 freetype: integer overflow in tt_face_load_font_dir() leading to out-of-bounds read CVE-2014-9669 freetype: multiple integer overflows leading to buffer over-reads in cmap handling CVE-2014-9670 freetype: integer overflow in pcf_get_encodings() leading to NULL pointer dereference CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference CVE-2014-9673 freetype: integer signedness error in Mac_Read_POST_Resource() leading to heap-based buffer overflow CVE-2014-9674 freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows CVE-2014-9675 freetype: information leak in _bdf_add_property() cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0700: unzip security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The unzip utility is used to list, test, or extract files from a zip archive. A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unzip's '-t' option. (CVE-2014-9636) A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. (CVE-2014-8139) An integer underflow flaw, leading to a buffer overflow, was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. (CVE-2014-8140) A buffer overflow flaw was found in the way unzip handled Zip64 files. A specially crafted Zip archive could possibly cause unzip to crash when the archive was uncompressed. (CVE-2014-8141) Red Hat would like to thank oCERT for reporting the CVE-2014-8139, CVE-2014-8140, and CVE-2014-8141 issues. oCERT acknowledges Michele Spagnuolo of the Google Security Team as the original reporter of these issues. All unzip users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 CVE-2014-9636 CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011) CVE-2014-8140 unzip: out-of-bounds write issue in test_compr_eb() (oCERT-2014-011) CVE-2014-8141 unzip: getZip64Data() out-of-bounds read issues (oCERT-2014-011) CVE-2014-9636 unzip: out-of-bounds read/write in test_compr_eb() in extract.c cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0716: openssl security and bug fix update (Moderate) Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid pointer use flaw was found in OpenSSL's ASN1_TYPE_cmp() function. A remote attacker could crash a TLS/SSL client or server using OpenSSL via a specially crafted X.509 certificate when the attacker-supplied certificate was verified by the application. (CVE-2015-0286) An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. (CVE-2015-0292) A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported. (CVE-2015-0209) An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could possibly use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287) A NULL pointer dereference flaw was found in OpenSSL's X.509 certificate handling implementation. A specially crafted X.509 certificate could cause an application using OpenSSL to crash if the application attempted to convert the certificate to a certificate request. (CVE-2015-0288) A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. (CVE-2015-0289) Red Hat would like to thank the OpenSSL project for reporting CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293. Upstream acknowledges Stephen Henson of the OpenSSL development team as the original reporter of CVE-2015-0286, Emilia Käsper of the OpenSSL development team as the original reporter of CVE-2015-0287, Brian Carpenter as the original reporter of CVE-2015-0288, Michal Zalewski of Google as the original reporter of CVE-2015-0289, Robert Dugal and David Ramos as the original reporters of CVE-2015-0292, and Sean Burford of Google and Emilia Käsper of the OpenSSL development team as the original reporters of CVE-2015-0293. This update also fixes the following bug: * When a wrapped Advanced Encryption Standard (AES) key did not require any padding, it was incorrectly padded with 8 bytes, which could lead to data corruption and interoperability problems. With this update, the rounding algorithm in the RFC 5649 key wrapping implementation has been fixed. As a result, the wrapped key conforms to the specification, which prevents the described problems. (BZ#1197667) All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 CVE-2016-0703 CVE-2016-0704 CVE-2015-0209 openssl: use-after-free on invalid EC private key import CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() CVE-2015-0287 openssl: ASN.1 structure reuse memory corruption CVE-2015-0289 openssl: PKCS7 NULL pointer dereference CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding CVE-2015-0293 openssl: assertion failure in SSLv2 servers CVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0718: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0817, CVE-2015-0818) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges ilxu1a and Mariusz Mlynski as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.5.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-0817 CVE-2015-0818 CVE-2015-0817 Mozilla: Code execution through incorrect JavaScript bounds checking elimination (MFSA 2015-29) CVE-2015-0818 Mozilla: Privilege escalation through SVG navigation (MFSA 2015-28) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:0726: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's Infiniband subsystem did not properly sanitize input parameters while registering memory regions from user space via the (u)verbs API. A local user with access to a /dev/infiniband/uverbsX device could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-8159, Important) * A use-after-free flaw was found in the way the Linux kernel's SCTP implementation handled authentication key reference counting during INIT collisions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1421, Important) Red Hat would like to thank Mellanox for reporting the CVE-2014-8159 issue. The CVE-2015-1421 issue was discovered by Sun Baoliang of Red Hat. This update also fixes the following bugs: * In certain systems with multiple CPUs, when a crash was triggered on one CPU with an interrupt handler and this CPU sent Non-Maskable Interrupt (NMI) to another CPU, and, at the same time, ioapic_lock had already been acquired, a deadlock occurred in ioapic_lock. As a consequence, the kdump service could become unresponsive. This bug has been fixed and kdump now works as expected. (BZ#1197742) * On Lenovo X1 Carbon 3rd Gen, X250, and T550 laptops, the thinkpad_acpi module was not properly loaded, and thus the function keys and radio switches did not work. This update applies a new string pattern of BIOS version, which fixes this bug, and function keys and radio switches now work as intended. (BZ#1197743) * During a heavy file system load involving many worker threads, all worker threads in the pool became blocked on a resource, and no manager thread existed to create more workers. As a consequence, the running processes became unresponsive. With this update, the logic around manager creation has been changed to assure that the last worker thread becomes a manager thread and does not start executing work items. Now, a manager thread exists, spawns new workers as needed, and processes no longer hang. (BZ#1197744) * If a thin-pool's metadata enters read-only or fail mode, for example, due to thin-pool running out of metadata or data space, any attempt to make metadata changes such as creating a thin device or snapshot thin device should error out cleanly. However, previously, the kernel code returned verbose and alarming error messages to the user. With this update, due to early trapping of attempt to make metadata changes, informative errors are displayed, no longer unnecessarily alarming the user. (BZ#1197745) * When running Red Hat Enterprise Linux as a guest on Microsoft Hyper-V hypervisor, the storvsc module did not return the correct error code for the upper level Small Computer System Interface (SCSI) subsystem. As a consequence, a SCSI command failed and storvsc did not handle such a failure properly under some conditions, for example, when RAID devices were created on top of storvsc devices. An upstream patch has been applied to fix this bug, and storvsc now returns the correct error code in the described situation. (BZ#1197749) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-8159 CVE-2015-1421 CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access CVE-2015-1421 kernel: net: slab corruption from use after free on INIT collisions cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0727: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's Infiniband subsystem did not properly sanitize input parameters while registering memory regions from user space via the (u)verbs API. A local user with access to a /dev/infiniband/uverbsX device could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-8159, Important) * A use-after-free flaw was found in the way the Linux kernel's SCTP implementation handled authentication key reference counting during INIT collisions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1421, Important) Red Hat would like to thank Mellanox for reporting the CVE-2014-8159 issue. The CVE-2015-1421 issue was discovered by Sun Baoliang of Red Hat. The kernel-rt packages have been upgraded to version 3.10.0-229.1.2, which provides a number of bug fixes over the previous version, including: - The kdump service could become unresponsive due to a deadlock in the kernel call ioapic_lock. - Attempt to make metadata changes such as creating a thin device or snapshot thin device did not error out cleanly. (BZ#1203359) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-8159 CVE-2015-1421 CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access CVE-2015-1421 kernel: net: slab corruption from use after free on INIT collisions kernel-rt: rebase tree to match RHEL7.1.z source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:0728: ipa and slapi-nis security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. The ipa component provides centrally managed Identity, Policy, and Audit. The slapi-nis component provides NIS Server and Schema Compatibility plug-ins for Directory Server. It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. (CVE-2015-1827) It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2015-0283) These issues were discovered by Sumit Bose of Red Hat. This update fixes the following bugs: * Previously, users of IdM were not properly granted the default permission to read the "facsimiletelephonenumber" user attribute. This update adds "facsimiletelephonenumber" to the Access Control Instruction (ACI) for user data, which makes the attribute readable to authenticated users as expected. (BZ#1198430) * Prior to this update, when a DNS zone was saved in an LDAP database without a dot character (.) at the end, internal DNS commands and operations, such as dnsrecord-* or dnszone-*, failed. With this update, DNS commands always supply the DNS zone with a dot character at the end, which prevents the described problem. (BZ#1198431) * After a full-server IdM restore operation, the restored server in some cases contained invalid data. In addition, if the restored server was used to reinitialize a replica, the replica then contained invalid data as well. To fix this problem, the IdM API is now created correctly during the restore operation, and *.ldif files are not skipped during the removal of RUV data. As a result, the restored server and its replica no longer contain invalid data. (BZ#1199060) * Previously, a deadlock in some cases occurred during an IdM upgrade, which could cause the IdM server to become unresponsive. With this update, the Schema Compatibility plug-in has been adjusted not to parse the subtree that contains the configuration of the DNA plug-in, which prevents this deadlock from triggering. (BZ#1199128) * When using the extdom plug-in of IdM to handle large groups, user lookups and group lookups previously failed due to insufficient buffer size. With this update, the getgrgid_r() call gradually increases the buffer length if needed, and the described failure of extdom thus no longer occurs. (BZ#1203204) Users of ipa and slapi-nis are advised to upgrade to these updated packages, which correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0283 CVE-2015-1827 CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() Fax number not displayed for user-show when kinit'ed as normal user. "an internal error has occurred" during ipa host-del --updatedns Replication agreement with replica not disabled when ipa-restore done without IPA installed Limit deadlocks between DS plugin DNA and slapi-nis CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0729: setroubleshoot security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The setroubleshoot packages provide tools to help diagnose SELinux problems. When Access Vector Cache (AVC) messages are returned, an alert can be generated that provides information about the problem and helps to track its resolution. It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command. (CVE-2015-1815) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. All setroubleshoot users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-1815 CVE-2015-1815 setroubleshoot: command injection via crafted file name cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0749: libxml2 security update (Moderate) Red Hat Enterprise Linux 7 The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191) The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat. All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-0191 CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0750: postgresql security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 PostgreSQL is an advanced object-relational database management system (DBMS). An information leak flaw was found in the way the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed. (CVE-2014-8161) A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2015-0241) A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2015-0243) A flaw was found in the way PostgreSQL handled certain errors that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection. (CVE-2015-0244) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Stephen Frost as the original reporter of CVE-2014-8161; Andres Freund, Peter Geoghegan, Bernd Helmle, and Noah Misch as the original reporters of CVE-2015-0241; Marko Tiikkaja as the original reporter of CVE-2015-0243; and Emil Lenngren as the original reporter of CVE-2015-0244. All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244 CVE-2014-8161 postgresql: information leak through constraint violation errors CVE-2015-0241 postgresql: buffer overflow in the to_char() function CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0766: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0813, CVE-2015-0815, CVE-2015-0801) A flaw was found in the way documents were loaded via resource URLs in, for example, Mozilla's PDF.js PDF file viewer. An attacker could use this flaw to bypass certain restrictions and under certain conditions even execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0816) A flaw was found in the Beacon interface implementation in Firefox. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack. (CVE-2015-0807) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Byron Campen, Steve Fink, Mariusz Mlynski, Christoph Kerschbaumer, Muneaki Nishimura, Olli Pettay, Boris Zbarsky, and Aki Helin as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.6.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-0801 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 CVE-2015-0815 Mozilla: Miscellaneous memory safety hazards (rv:31.6) (MFSA 2015-30) CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33) CVE-2015-0807 Mozilla: CORS requests should not follow 30x redirections after preflight (MFSA 2015-36) CVE-2015-0801 Mozilla: Same-origin bypass through anchor navigation (MFSA 2015-40) CVE-2015-0813 Mozilla: Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0767: flac security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The flac packages contain a decoder and an encoder for the FLAC (Free Lossless Audio Codec) audio file format. A buffer overflow flaw was found in the way flac decoded FLAC audio files. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash or execute arbitrary code when the file was read. (CVE-2014-9028) A buffer over-read flaw was found in the way flac processed certain ID3v2 metadata. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash when the file was read. (CVE-2014-8962) All flac users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications linked against the flac library must be restarted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-8962 CVE-2014-9028 CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata CVE-2014-9028 flac: Heap buffer write overflow in read_residual_partitioned_rice_ cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0771: thunderbird security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-0813, CVE-2015-0815, CVE-2015-0801) A flaw was found in the way documents were loaded via resource URLs. An attacker could use this flaw to bypass certain restrictions and under certain conditions even execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-0816) A flaw was found in the Beacon interface implementation in Thunderbird. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack. (CVE-2015-0807) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Byron Campen, Steve Fink, Mariusz Mlynski, Christoph Kerschbaumer, Muneaki Nishimura, Olli Pettay, Boris Zbarsky, and Aki Helin as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.6.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.6.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-0801 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 CVE-2015-0815 Mozilla: Miscellaneous memory safety hazards (rv:31.6) (MFSA 2015-30) CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33) CVE-2015-0807 Mozilla: CORS requests should not follow 30x redirections after preflight (MFSA 2015-37) CVE-2015-0801 Mozilla: Same-origin bypass through anchor navigation (MFSA 2015-40) CVE-2015-0813 Mozilla: Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/a:redhat:rhel_productivity:5 RHSA-2015:0797: xorg-x11-server security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A buffer over-read flaw was found in the way the X.Org server handled XkbGetGeometry requests. A malicious, authorized client could use this flaw to disclose portions of the X.Org server memory, or cause the X.Org server to crash using a specially crafted XkbGetGeometry request. (CVE-2015-0255) This issue was discovered by Olivier Fourdan of Red Hat. All xorg-x11-server users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0255 CVE-2015-0255 xorg-x11-server: information leak in the XkbSetGeometry request of X servers cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0806: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0477) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2005-1080 jar: directory traversal vulnerability CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726) CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699) CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931) CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320) CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601) CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0808: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0477) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2005-1080 jar: directory traversal vulnerability CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726) CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699) CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931) CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320) CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601) CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:0809: java-1.8.0-openjdk security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2005-1080 jar: directory traversal vulnerability CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726) CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699) CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931) CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320) CVE-2015-0470 OpenJDK: incorrect handling of default methods (Hotspot, 8065366) CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601) CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0895: 389-ds-base security update (Important) Red Hat Enterprise Linux 7 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server. (CVE-2015-1854) This issue was discovered by Simo Sorce of Red Hat. All 389-ds-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the 389 server service will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-1854 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0980: pcs security and bug fix update (Important) Red Hat Enterprise Linux 7 The pcs packages provide a command-line tool and a web UI to configure and manage the Pacemaker and Corosync tools. It was found that the pcs daemon did not sign cookies containing session data that were sent to clients connecting via the pcsd web UI. A remote attacker could use this flaw to forge cookies and bypass authorization checks, possibly gaining elevated privileges in the pcsd web UI. (CVE-2015-1848) This issue was discovered by Tomas Jelinek of Red Hat. This update also fixes the following bug: * Previously, the Corosync tool allowed the two_node option and the auto_tie_breaker option to exist in the corosync.conf file at the same time. As a consequence, if both options were included, auto_tie_breaker was silently ignored and the two_node fence race decided which node would survive in the event of a communication break. With this update, the pcs daemon has been fixed so that it does not produce corosync.conf files with both two_node and auto_tie_breaker included. In addition, if both two_node and auto_tie_breaker are detected in corosync.conf, Corosync issues a message at start-up and disables two_node mode. As a result, auto_tie_breaker effectively overrides two_node mode if both options are specified. (BZ#1205848) All pcs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the pcsd daemon will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-1848 CVE-2015-3983 CVE-2015-1848 CVE-2015-3983 pcs: improper web session variable signing cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0981: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AEC-GCM mode IPSec security association. (CVE-2015-3331, Important) The kernel-rt packages have been upgraded to version 3.10.0-229.4.1, which provides a number of bug fixes and enhancements over the previous version, including: * Audit subsystem not resolving path name on directory watches * audit watches do not track correctly after a rename * auditctl output is changed in RHEL 7 * megaraid_sas: non-booting system with intel_iommu=on kernel parameter * GFS2: kernel NULL pointer dereference in gfs2_inplace_reserve * Crypto adapter cannot be brought online - affect all HW * crypto/seqiv.c: wrong check of return code from crypto_rng_get_bytes * Backport crypto: sha256_ssse3 - also test for BMI2 * Null pointer at team_handle_frame+0x62/0x100 [team] * AES CTR x86_64 "by8" AVX optimization * Intel RDSEED - Fix for entropy counting * Intel SHA1 multi-buffer crypto implementation * Intel SHA1 AVX2 optimization support * mlx4_en: HW timestamp ends up in error queue of socket which does not have SO_TIMESTAMPING enabled (BZ#1209963) This update also fixes the following bugs: * Prior to this update, heavy lock contention occurred on systems with greater than 32 cores when large numbers of tasks went idle simultaneously. Consequently, all the idle CPUs attempted to acquire the run-queue (rq) lock of a CPU with extra tasks in order to pull those run-able tasks. This increased scheduler latency due to the lock contention. Instead of each idle CPU attempting to acquire the run-queue lock, now each idle CPU will send an IPI to let the overloaded CPU select one core to pull tasks from it. The result is less spin-lock contention on the rq lock and produces improved scheduler response time. (BZ#1210924) * The CONFIG_NO_HZ logic enabled/disabled the timer tick every time a CPU went into an idle state. This timer tick manipulation caused the system performance (throughput) to suffer. The CONFIG_NO_HZ configuration setting is now turned off by default, which increases the throughput due to the lower idle overhead while allowing system administrators to enable it selectively in their environment. (BZ#1210597) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-3331 kernel-rt: rebase tree to match RHEL7.1.z source tree CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:0983: tomcat security update (Moderate) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service. (CVE-2014-0227) All Tomcat 7 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the tomcat service will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-0227 CVE-2014-0227 Tomcat/JBossWeb: request smuggling andl imited DoS in ChunkedInputFilter cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0986: kexec-tools security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The kexec-tools packages contain the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. It was found that the module-setup.sh script provided by kexec-tools created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files. (CVE-2015-0267) This issue was discovered by Harald Hoyer of Red Hat. This update also fixes the following bug: * On Red Hat Enterprise Linux Atomic Host systems, the kdump tool previously saved kernel crash dumps in the /sysroot/crash file instead of the /var/crash file. The parsing error that caused this problem has been fixed, and the kernel crash dumps are now correctly saved in /var/crash. (BZ#1206464) In addition, this update adds the following enhancement: * The makedumpfile command now supports the new sadump format that can represent more than 16 TB of physical memory space. This allows users of makedumpfile to read dump files over 16 TB, generated by sadump on certain upcoming server models. (BZ#1208753) All kexec-tools users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0267 CVE-2015-0267 kexec-tools: insecure use of /tmp/*$$* filenames cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0987: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AEC-GCM mode IPSec security association. (CVE-2015-3331, Important) This update also fixes the following bugs: * Previously, the kernel audit subsystem did not correctly track file path names which could lead to empty, or "(null)" path names in the PATH audit records. This update fixes the bug by correctly tracking file path names and displaying the names in the audit PATH records. (BZ#1197746) * Due to a change in the internal representation of field types, AUDIT_LOGINUID set to -1 (4294967295) by the audit API was asymmetrically converted to an AUDIT_LOGINUID_SET field with a value of 0, unrecognized by an older audit API. To fix this bug, the kernel takes note about the way the rule has been formulated and reports the rule in the originally given form. As a result, older versions of audit provide a report as expected, in the AUDIT_LOGINUID field type form, whereas the newer versions can migrate to the new AUDIT_LOGINUID_SET filed type. (BZ#1197748) * The GFS2 file system "Splice Read" operation, which is used for the sendfile() function, was not properly allocating a required multi-block reservation structure in memory. Consequently, when the GFS2 block allocator was called to assign blocks of data, it attempted to dereference the structure, which resulted in a kernel panic. With this update, "Splice read" operation properly allocates the necessary reservation structure in memory prior to calling the block allocator, and sendfile() thus works properly for GFS2. (BZ#1201256) * Moving an Open vSwitch (OVS) internal vport to a different net name space and subsequently deleting that name space led to a kernel panic. This bug has been fixed by removing the OVS internal vport at net name space deletion. (BZ#1202357) * Previously, the kernel audit subsystem was not correctly handling file and directory moves, leading to audit records that did not match the audit file watches. This fix correctly handles moves such that the audit file watches work correctly. (BZ#1202358) * Due to a regression, the crypto adapter could not be set online. A patch has been provided that fixes the device registration process so that the device can be used also before the registration process is completed, thus fixing this bug. (BZ#1205300) * Due to incorrect calculation for entropy during the entropy addition, the amount of entropy in the /dev/random file could be overestimated. The formula for the entropy addition has been changed, thus fixing this bug. (BZ#1211288) * Previously, the ansi_cprng and drbg utilities did not obey the call convention and returned the positive value on success instead of the correct value of zero. Consequently, Internet Protocol Security (IPsec) terminated unexpectedly when ansi_cprng or drbg were used. With this update, ansi_cprng and drbg have been changed to return zero on success, and IPsec now functions correctly. (BZ#1211487) * Due to a failure to clear the timestamp flag when reusing a tx descriptor in the mlx4_en driver, programs that did not request a hardware timestamp packet on their sent data received it anyway, resulting in unexpected behavior in certain applications. With this update, when reusing the tx descriptor in the mlx4_en driver in the aforementioned situation, the hardware timestamp flag is cleared, and applications now behave as expected. (BZ#1209240) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-3331 CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI cpe:/o:redhat:enterprise_linux:7 RHSA-2015:0988: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713) A heap-based buffer overflow flaw was found in the way Firefox processed compressed XML data. An attacker could create specially crafted compressed XML content that, when processed by Firefox, could cause it to crash or execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2716) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Aki Helin, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-0797 CVE-2015-2708 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 CVE-2015-4496 CVE-2015-2708 Mozilla: Miscellaneous memory safety hazards (rv:31.7) (MFSA 2015-46) CVE-2015-0797 Mozilla: Buffer overflow parsing H.264 video with Linux Gstreamer (MFSA 2015-47) CVE-2015-2710 Mozilla: Buffer overflow with SVG content and CSS (MFSA 2015-48) CVE-2015-2713 Mozilla: Use-after-free during text processing with vertical text enabled (MFSA 2015-51) CVE-2015-2716 Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:0999: qemu-kvm security update (Important) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. (CVE-2015-3456) Red Hat would like to thank Jason Geffner of CrowdStrike for reporting this issue. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-3456 CVE-2015-3456 qemu: fdc: out-of-bounds fifo buffer memory access cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1012: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713) A heap-based buffer overflow flaw was found in the way Thunderbird processed compressed XML data. An attacker could create specially crafted compressed XML content that, when processed by Thunderbird, could cause it to crash or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2716) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.7. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.7, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-2708 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 CVE-2015-2708 Mozilla: Miscellaneous memory safety hazards (rv:31.7) (MFSA 2015-46) CVE-2015-2710 Mozilla: Buffer overflow with SVG content and CSS (MFSA 2015-48) CVE-2015-2713 Mozilla: Use-after-free during text processing with vertical text enabled (MFSA 2015-51) CVE-2015-2716 Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 RHSA-2015:1072: openssl security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in OpenSSL to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits. All openssl users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-4000 CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1083: abrt security update (Important) Red Hat Enterprise Linux 7 ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use these flaws to potentially escalate their privileges on the system. (CVE-2015-3315) It was discovered that the kernel-invoked coredump processor provided by ABRT wrote core dumps to files owned by other system users. This could result in information disclosure if an application crashed while its current directory was a directory writable to by other users (such as /tmp). (CVE-2015-3142) It was discovered that the default event handling scripts installed by ABRT did not handle symbolic links correctly. A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges. (CVE-2015-1869) It was found that the ABRT event scripts created a user-readable copy of an sosreport file in ABRT problem directories, and included excerpts of /var/log/messages selected by the user-controlled process name, leading to an information disclosure. (CVE-2015-1870) It was discovered that, when moving problem reports between certain directories, abrt-handle-upload did not verify that the new problem directory had appropriate permissions and did not contain symbolic links. An attacker able to create a crafted problem report could use this flaw to expose other parts of ABRT to attack, or to overwrite arbitrary files on the system. (CVE-2015-3147) Multiple directory traversal flaws were found in the abrt-dbus D-Bus service. A local attacker could use these flaws to read and write arbitrary files as the root user. (CVE-2015-3151) It was discovered that the abrt-dbus D-Bus service did not properly check the validity of the problem directory argument in the ChownProblemDir, DeleteElement, and DeleteProblem methods. A local attacker could use this flaw to take ownership of arbitrary files and directories, or to delete files and directories as the root user. (CVE-2015-3150) It was discovered that the abrt-action-install-debuginfo-to-abrt-cache helper program did not properly filter the process environment before invoking abrt-action-install-debuginfo. A local attacker could use this flaw to escalate their privileges on the system. (CVE-2015-3159) All users of abrt are advised to upgrade to these updated packages, which correct these issues. Important Copyright 2015 Red Hat, Inc. CVE-2015-1869 CVE-2015-1870 CVE-2015-3142 CVE-2015-3147 CVE-2015-3150 CVE-2015-3151 CVE-2015-3159 CVE-2015-3315 CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others CVE-2015-1869 abrt: default event scripts follow symbolic links CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure CVE-2015-3147 abrt: does not validate contents of uploaded problem reports CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache libreport: races in dump directory handling code [rhel-7.1.z] cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1090: wpa_supplicant security and enhancement update (Important) Red Hat Enterprise Linux 7 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A buffer overflow flaw was found in the way wpa_supplicant handled SSID information in the Wi-Fi Direct / P2P management frames. A specially crafted frame could allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash or, possibly, execute arbitrary code. (CVE-2015-1863) An integer underflow flaw, leading to a buffer over-read, was found in the way wpa_supplicant handled WMM Action frames. A specially crafted frame could possibly allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash. (CVE-2015-4142) Red Hat would like to thank Jouni Malinen of the wpa_supplicant upstream for reporting the CVE-2015-1863 issue. Upstream acknowledges Alibaba security team as the original reporter. This update also adds the following enhancement: * Prior to this update, wpa_supplicant did not provide a way to require the host name to be listed in an X.509 certificate's Common Name or Subject Alternative Name, and only allowed host name suffix or subject substring checks. This update introduces a new configuration directive, 'domain_match', which adds a full host name check. (BZ#1178263) All wpa_supplicant users are advised to upgrade to this updated package, which contains backported patches to correct these issues and add this enhancement. After installing this update, the wpa_supplicant service will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-1863 CVE-2015-4142 wpa_supplicant: add support for non-substring server identity check [rhel-7] CVE-2015-1863 wpa_supplicant: P2P SSID processing vulnerability CVE-2015-4142 wpa_supplicant and hostapd: integer underflow in AP mode WMM Action frame processing cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1115: openssl security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An invalid free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could cause a DTLS server or client using OpenSSL to crash or, potentially, execute arbitrary code. (CVE-2014-8176) A flaw was found in the way the OpenSSL packages shipped with Red Hat Enterprise Linux 6 and 7 performed locking in the ssleay_rand_bytes() function. This issue could possibly cause a multi-threaded application using OpenSSL to perform an out-of-bounds read and crash. (CVE-2015-3216) An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL. A specially crafted X.509 certificate or a Certificate Revocation List (CRL) could possibly cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2015-1789) A race condition was found in the session handling code of OpenSSL. This issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL to double free session ticket data and crash. (CVE-2015-1791) A flaw was found in the way OpenSSL handled Cryptographic Message Syntax (CMS) messages. A CMS message with an unknown hash function identifier could cause an application using OpenSSL to enter an infinite loop. (CVE-2015-1792) A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. A specially crafted PKCS#7 input with missing EncryptedContent data could cause an application using OpenSSL to crash. (CVE-2015-1790) Red Hat would like to thank the OpenSSL project for reporting CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and CVE-2015-1792 flaws. Upstream acknowledges Praveen Kariyanahalli and Ivan Fratric as the original reporters of CVE-2014-8176, Robert Swiecki and Hanno Böck as the original reporters of CVE-2015-1789, Michal Zalewski as the original reporter of CVE-2015-1790, Emilia Käsper as the original report of CVE-2015-1791 and Johannes Bauer as the original reporter of CVE-2015-1792. All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression CVE-2015-1789 OpenSSL: out-of-bounds read in X509_cmp_time CVE-2015-1790 OpenSSL: PKCS7 crash with missing EnvelopedContent CVE-2015-1792 OpenSSL: CMS verify infinite loop with unknown hash function CVE-2015-1791 OpenSSL: Race condition handling NewSessionTicket CVE-2014-8176 OpenSSL: Invalid free in DTLS cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1123: cups security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158) A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159) An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. (CVE-2014-9679) Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2014-9679 CVE-2015-1158 CVE-2015-1159 CVE-2014-9679 cups: cupsRasterReadPixels buffer overflow CVE-2015-1158 cups: incorrect string reference counting (VU#810572) CVE-2015-1159 cups: cross-site scripting flaw in CUPS web UI (VU#810572) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1135: php security and bug fix update (Important) Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024) An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232) An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-4022) Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021) Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605) A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709) This update also fixes the following bugs: * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. (BZ#1212298) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-8142 CVE-2014-9652 CVE-2014-9705 CVE-2014-9709 CVE-2015-0231 CVE-2015-0232 CVE-2015-0273 CVE-2015-2301 CVE-2015-2348 CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3330 CVE-2015-3411 CVE-2015-3412 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 CVE-2015-4598 CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 CVE-2015-4602 CVE-2015-4603 CVE-2015-4604 CVE-2015-4605 CVE-2015-4643 CVE-2014-8142 php: use after free vulnerability in unserialize() CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) CVE-2015-0232 php: Free called on unitialized pointer in exif.c CVE-2014-9652 file: out of bounds read in mconvert() CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone CVE-2014-9705 php: heap buffer overflow in enchant_broker_request_dict() CVE-2015-2301 php: use after free in phar_object.c CVE-2015-4147 php: SoapClient's __call() type confusion through unserialize() CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name CVE-2015-3330 php: pipelined request executed in deinitialized interpreter under httpd 2.4 CVE-2015-3411 php: missing null byte checks for paths in various PHP extensions CVE-2015-4604 CVE-2015-4605 php: denial of service when processing a crafted file with Fileinfo CVE-2015-2783 php: buffer over-read in Phar metadata parsing CVE-2015-3329 php: buffer overflow in phar_set_inode() CVE-2015-4024 php: multipart/form-data request parsing CPU usage DoS CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata() CVE-2015-4148 php: SoapClient's do_soap_call() type confusion after unserialize() CVE-2015-3412 php: missing null byte checks for paths in various PHP extensions CVE-2015-4598 php: missing null byte checks for paths in DOM and GD extensions CVE-2015-4603 php: exception::getTraceAsString type confusion issue after unserialize CVE-2015-4602 php: Incomplete Class unserialization type confusion cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1137: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1805, Important) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) * A flaw was found in the way the Linux kernel's 32-bit emulation implementation handled forking or closing of a task with an 'int80' entry. A local user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-2830, Low) * It was found that the Linux kernel's ISO file system implementation did not correctly limit the traversal of Rock Ridge extension Continuation Entries (CE). An attacker with physical access to the system could use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service. (CVE-2014-9420, Low) * An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory. (CVE-2014-9584, Low) * A flaw was found in the way the nft_flush_table() function of the Linux kernel's netfilter tables implementation flushed rules that were referencing deleted chains. A local user who has the CAP_NET_ADMIN capability could use this flaw to crash the system. (CVE-2015-1573, Low) * An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593, Low) Red Hat would like to thank Carl Henrik Lunde for reporting CVE-2014-9420 and CVE-2014-9584. The security impact of the CVE-2015-1805 issue was discovered by Red Hat. This update also fixes several bugs. Documentation for these changes is available from the following Knowledgebase article: https://access.redhat.com/articles/1469163 All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1573 CVE-2015-1593 CVE-2015-1805 CVE-2015-2830 CVE-2014-9420 Kernel: fs: isofs: infinite loop in CE record entries CVE-2014-9529 kernel: use-after-free during key garbage collection CVE-2014-9584 kernel: isofs: unchecked printing of ER records CVE-2015-1573 kernel: panic while flushing nftables rules that reference deleted chains. CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption CVE-2015-2830 kernel: int80 fork from 64-bit tasks mishandling cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1139: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1805, Important) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) * A flaw was found in the way the Linux kernel's 32-bit emulation implementation handled forking or closing of a task with an 'int80' entry. A local user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-2830, Low) * It was found that the Linux kernel's ISO file system implementation did not correctly limit the traversal of Rock Ridge extension Continuation Entries (CE). An attacker with physical access to the system could use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service. (CVE-2014-9420, Low) * An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory. (CVE-2014-9584, Low) * A flaw was found in the way the nft_flush_table() function of the Linux kernel's netfilter tables implementation flushed rules that were referencing deleted chains. A local user who has the CAP_NET_ADMIN capability could use this flaw to crash the system. (CVE-2015-1573, Low) * An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593, Low) Red Hat would like to thank Carl Henrik Lunde for reporting CVE-2014-9420 and CVE-2014-9584. The security impact of CVE-2015-1805 was discovered by Red Hat. The kernel-rt packages have been upgraded to version 3.10.0-229.7.2, which provides a number of bug fixes and enhancements over the previous version, including: * storvsc: get rid of overly verbose warning messages * storvsc: force discovery of LUNs that may have been removed * storvsc: in responce to a scan event, scan the hos * storvsc: NULL pointer dereference fix * futex: Mention key referencing differences between shared and private futexes * futex: Ensure get_futex_key_refs() always implies a barrier * kernel module: set nx before marking module MODULE_STATE_COMING * kernel module: Clean up ro/nx after early module load failures * btrfs: make xattr replace operations atomic * megaraid_sas: revert: Add release date and update driver version * radeon: fix kernel segfault in hwmonitor (BZ#1223955) Bug fix: * There is an XFS optimization that depended on a spinlock to disable preemption using the preempt_disable() function. When CONFIG_PREEMPT_RT is enabled on realtime kernels, spinlocks do not disable preemption while held, so the XFS critical section was not protected from preemption. Systems on the Realtime kernel-rt could lock up in this XFS optimization when a task that locked all the counters was then preempted by a realtime task, causing all callers of that lock to block indefinitely. This update disables the optimization when building a kernel with CONFIG_PREEMPT_RT_FULL enabled. (BZ#1223955) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1573 CVE-2015-1593 CVE-2015-1805 CVE-2015-2830 CVE-2014-9420 Kernel: fs: isofs: infinite loop in CE record entries CVE-2014-9529 kernel: use-after-free during key garbage collection CVE-2014-9584 kernel: isofs: unchecked printing of ER records CVE-2015-1573 kernel: panic while flushing nftables rules that reference deleted chains. CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption CVE-2015-2830 kernel: int80 fork from 64-bit tasks mishandling kernel-rt: rebase to the RHEL7.1.z batch3 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:1153: mailman security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Mailman is a program used to help manage email discussion lists. It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. (CVE-2015-2775) This update also fixes the following bugs: * Previously, it was impossible to configure Mailman in a way that Domain-based Message Authentication, Reporting & Conformance (DMARC) would recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures. Consequently, Mailman list subscribers that belonged to a mail server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were unable to receive Mailman forwarded messages from senders residing in any domain that provided DKIM signatures. With this update, domains with a "reject" DMARC policy are recognized correctly, and Mailman list administrators are able to configure the way these messages are handled. As a result, after a proper configuration, subscribers now correctly receive Mailman forwarded messages in this scenario. (BZ#1229288) * Previously, the /etc/mailman file had incorrectly set permissions, which in some cases caused removing Mailman lists to fail with a "'NoneType' object has no attribute 'close'" message. With this update, the permissions value for /etc/mailman is correctly set to 2775 instead of 0755, and removing Mailman lists now works as expected. (BZ#1229307) * Prior to this update, the mailman utility incorrectly installed the tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence, changes made to mailman tmpfiles configuration were overwritten if the mailman packages were reinstalled or updated. The mailman utility now installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory, and changes made to them by the user are preserved on reinstall or update. (BZ#1229306) All mailman users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-2775 CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release /etc/mailman has wrong permissions 0755 instead of 2775 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1154: libreswan security, bug fix and enhancement update (Moderate) Red Hat Enterprise Linux 7 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN). A flaw was discovered in the way Libreswan's IKE daemon processed certain IKEv1 payloads. A remote attacker could send specially crafted IKEv1 payloads that, when processed, would lead to a denial of service (daemon crash). (CVE-2015-3204) Red Hat would like to thank Javantea for reporting this issue. This update fixes the following bugs: * Previously, the programs/pluto/state.h and programs/pluto/kernel_netlink.c files had a maximum SELinux context size of 257 and 1024 respectively. These restrictions set by libreswan limited the size of the context that can be exchanged by pluto (the IPSec daemon) when using a Labeled Internet Protocol Security (IPsec). The SElinux labels for Labeled IPsec have been extended to 4096 bytes and the mentioned restrictions no longer exist. (BZ#1198650) * On some architectures, the kernel AES_GCM IPsec algorithm did not work properly with acceleration drivers. On those kernels, some acceleration modules are added to the modprobe blacklist. However, Libreswan was ignoring this blacklist, leading to AES_GCM failures. This update adds support for the module blacklist to the libreswan packages and thus prevents the AES_GCM failures from occurring. (BZ#1208022) * An IPv6 issue has been resolved that prevented ipv6-icmp Neighbour Discovery from working properly once an IPsec tunnel is established (and one endpoint reboots). When upgrading, ensure that /etc/ipsec.conf is loading all /etc/ipsec.d/*conf files using the /etc/ipsec.conf "include" statement, or explicitly include this new configuration file in /etc/ipsec.conf. (BZ#1208023) * A FIPS self-test prevented libreswan from properly starting in FIPS mode. This bug has been fixed and libreswan now works in FIPS mode as expected. (BZ#1211146) In addition, this update adds the following enhancements: * A new option "seedbits=" has been added to pre-seed the Network Security Services (NSS) pseudo random number generator (PRNG) function with entropy from the /dev/random file on startup. This option is disabled by default. It can be enabled by setting the "seedbits=" option in the "config setup" section in the /etc/ipsec.conf file. (BZ#1198649) * The build process now runs a Cryptographic Algorithm Validation Program (CAVP) certification test on the Internet Key Exchange version 1 and 2 (IKEv1 and IKEv2) PRF/PRF+ functions. (BZ#1213652) All libreswan users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3204 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1185: nss security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in NSS to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits. The nss and nss-util packages have been upgraded to upstream versions 3.19.1. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Users of nss and nss-util are advised to upgrade to these updated packages, which fix these security flaws, bugs, and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-2721 CVE-2015-4000 CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1193: xerces-c security update (Moderate) Red Hat Enterprise Linux 7 Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash. (CVE-2015-0252) All xerces-c users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0252 CVE-2015-0252 xerces-c: crashes on malformed input cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1194: postgresql security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 PostgreSQL is an advanced object-relational database management system (DBMS). A double-free flaw was found in the connection handling. An unauthenticated attacker could exploit this flaw to crash the PostgreSQL back end by disconnecting at approximately the same time as the authentication time out is triggered. (CVE-2015-3165) It was discovered that PostgreSQL did not properly check the return values of certain standard library functions. If the system is in a state that would cause the standard library functions to fail, for example memory exhaustion, an authenticated user could exploit this flaw to disclose partial memory contents or cause the GSSAPI authentication to use an incorrect keytab file. (CVE-2015-3166) It was discovered that the pgcrypto module could return different error messages when decrypting certain data with an incorrect key. This can help an authenticated user to launch a possible cryptographic attack, although no suitable attack is currently known. (CVE-2015-3167) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Benkocs Norbert Attila as the original reporter of CVE-2015-3165 and Noah Misch as the original reporter of CVE-2015-3166 and CVE-2015-3167. All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 CVE-2015-3165 postgresql: double-free after authentication timeout CVE-2015-3166 postgresql: unanticipated errors from the standard library CVE-2015-3167 postgresql: pgcrypto has multiple error messages for decryption with an incorrect key. cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1207: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined with another vulnerability, it could allow execution of arbitrary code with the privileges of the user running Firefox. (CVE-2015-2743) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher, Andreas Pehrson, Jann Horn, Paul Bandha, Holger Fuhrmannek, Herre, Looben Yan, Ronald Crane, and Jonas Jenwald as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2727 CVE-2015-2728 CVE-2015-2729 CVE-2015-2731 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2743 CVE-2015-2724 CVE-2015-2725 Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59) CVE-2015-2727 Mozilla: Local files or privileged URLs in pages can be opened into new tabs (MFSA 2015-60) CVE-2015-2728 Mozilla: Type confusion in Indexed Database Manager (MFSA 2015-61) CVE-2015-2729 Mozilla: Out-of-bound read while computing an oscillator rendering range in Web Audio (MFSA 2015-62) CVE-2015-2731 Mozilla: Use-after-free in Content Policy due to microtask execution error (MFSA 2015-63) CVE-2015-2722 CVE-2015-2733 Mozilla: Use-after-free in workers while using XMLHttpRequest (MFSA 2015-65) CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66) CVE-2015-2741 Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67) CVE-2015-2743 Mozilla: Privilege escalation in PDF.js (MFSA 2015-69) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1228: java-1.8.0-openjdk security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. (CVE-2015-4748) It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. (CVE-2015-2601) It was discovered that the GCM (Galois Counter Mode) implementation in the Security component of OpenJDK failed to properly perform a null check. This could cause the Java Virtual Machine to crash when an application performed encryption using a block cipher in the GCM mode. (CVE-2015-2659) A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. (CVE-2015-2808) Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change. A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in OpenJDK to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. (CVE-2015-4749) Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632) A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. (CVE-2015-2625) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory. (CVE-2015-3149) All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2659 CVE-2015-2808 CVE-2015-3149 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher CVE-2015-3149 OpenJDK8: insecure hsperfdata temporary file handling, CVE-2015-0383 regression (Hotspot) CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694) CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865) CVE-2015-2659 OpenJDK: GCM cipher issue causing JVM crash (Security, 8067648) CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376) CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397) CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405) CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409) CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374) CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853) CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378) CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520) CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715) CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1229: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. (CVE-2015-4748) It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. (CVE-2015-2601) A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. (CVE-2015-2808) Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change. A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in OpenJDK to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. (CVE-2015-4749) Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632) A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. (CVE-2015-2625) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694) CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865) CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376) CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397) CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405) CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409) CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374) CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853) CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378) CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520) CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715) CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1443: bind security update (Important) Red Hat Enterprise Linux 7 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND performed DNSSEC validation. An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620) Red Hat would like to thank ISC for reporting this issue. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-4620 CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned() cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1455: thunderbird security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2731, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Thunderbird skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight, Herre, Ronald Crane, and David Keeler as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.8. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.8, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-2724 CVE-2015-2725 CVE-2015-2731 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2724 CVE-2015-2725 Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59) CVE-2015-2731 Mozilla: Use-after-free in Content Policy due to microtask execution error (MFSA 2015-63) CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66) CVE-2015-2741 Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67) cpe:/o:redhat:enterprise_linux:7 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1483: libuser security update (Important) Red Hat Enterprise Linux 7 The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite (shadow-utils) are included in these packages. Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. (CVE-2015-3245, CVE-2015-3246) Red Hat would like to thank Qualys for reporting these issues. All libuser users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-3245 CVE-2015-3246 CVE-2015-3245 libuser does not filter newline characters in the GECOS field CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1507: qemu-kvm security and bug fix update (Important) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. (CVE-2015-5154) An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3214) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was discovered by Kevin Wolf of Red Hat. This update also fixes the following bug: * Due to an incorrect implementation of portable memory barriers, the QEMU emulator in some cases terminated unexpectedly when a virtual disk was under heavy I/O load. This update fixes the implementation in order to achieve correct synchronization between QEMU's threads. As a result, the described crash no longer occurs. (BZ#1233643) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-3214 CVE-2015-5154 CVE-2015-3214 qemu/kvm: i8254: out-of-bounds memory access in pit_ioport_read function CVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1510: clutter security update (Moderate) Red Hat Enterprise Linux 7 Clutter is a library for creating fast, visually rich, graphical user interfaces. Clutter is used for rendering the GNOME desktop environment. A flaw was found in the way clutter processed certain mouse and touch gestures. An attacker could use this flaw to bypass the screen lock. (CVE-2015-3213) All clutter users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using clutter must be restarted for the update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3213 CVE-2015-3213 Gnome clutter: screenlock bypass by performing certain mouse gestures cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1513: bind security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named (functioning as an authoritative DNS server or a DNS resolver) exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2015-5477) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jonathan Foote as the original reporter. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-5477 CVE-2015-5477 bind: TKEY query handling flaw leading to denial of service cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1526: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733) A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. (CVE-2015-4748) It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. (CVE-2015-2601) A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. (CVE-2015-2808) Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change. A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them to decrypt all traffic. (CVE-2015-4000) Note: This update forces the TLS/SSL client implementation in OpenJDK to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. (CVE-2015-4749) Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632) A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. (CVE-2015-2625) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694) CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865) CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376) CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397) CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405) CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409) CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374) CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853) CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378) CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520) CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715) CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:1534: kernel security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate) * A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate) * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) * It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low) Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue. This update also fixes several bugs. Refer to the following Knowledgebase article for further information: https://access.redhat.com/articles/1474193 All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9715 CVE-2015-2666 CVE-2015-2922 CVE-2015-3636 CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. CVE-2015-2666 kernel: execution in the early microcode loader CVE-2014-9715 kernel: netfilter connection tracking extensions denial of service CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1565: kernel-rt security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate) * A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate) * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) * It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low) Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue. The kernel-rt packages have been upgraded to version 3.10.0-229.11.1, which provides a number of bug fixes and enhancements over the previous version, including: * drbg: Add stdrng alias and increase priority * seqiv / eseqiv / chainiv: Move IV seeding into init function * ipv4: kABI fix for 0bbf87d backport * ipv4: Convert ipv4.ip_local_port_range to be per netns * libceph: tcp_nodelay support * ipr: Increase default adapter init stage change timeout * fix use-after-free bug in usb_hcd_unlink_urb() * libceph: fix double __remove_osd() problem * ext4: fix data corruption caused by unwritten and delayed extents * sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT * nfs: Fixing lease renewal (Benjamin Coddington) * control hard lockup detection default * Fix print-once on enable * watchdog: update watchdog_thresh properly and watchdog attributes atomically * module: Call module notifier on failure after complete_formation() (BZ#1234470) This update also fixes the following bugs: * The megasas driver used the smp_processor_id() function within a preemptible context, which caused warning messages to be returned to the console. The function has been changed to raw_smp_processor_id() so that a lock is held while getting the processor ID. As a result, correct operations are now allowed without any console warnings being produced. (BZ#1235304) * In the NFSv4 file system, non-standard usage of the write_seqcount_{begin,end}() functions were used, which caused the realtime code to try to sleep while locks were held. As a consequence, the "scheduling while atomic" error messages were returned. The underlying source code has been modified to use the __write_seqcount_{begin,end}() functions that do not hold any locks, allowing correct execution of realtime. (BZ#1235301) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9715 CVE-2015-2666 CVE-2015-2922 CVE-2015-3636 CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. CVE-2015-2666 kernel: execution in the early microcode loader CVE-2014-9715 kernel: netfilter connection tracking extensions denial of service CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation kernel-rt: update to the RHEL7.1.z batch 4 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:1581: firefox security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was discovered in Mozilla Firefox that could be used to violate the same-origin policy and inject web script into a non-privileged part of the built-in PDF file viewer (PDF.js). An attacker could create a malicious web page that, when viewed by a victim, could steal arbitrary files (including private SSH keys, the /etc/passwd file, and other potentially sensitive files) from the system running Firefox. (CVE-2015-4495) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Cody Crews as the original reporter. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.1.1 ESR, which corrects this issue. After installing the update, Firefox must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4495 CVE-2015-4495 Mozilla: Same origin violation and local file stealing via PDF reader (MFSA 2015-78) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1586: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Christian Holler, Byron Campen, Aki Helin, André Bargull, Massimiliano Tomassoli, laf.intel, Massimiliano Tomassoli, Tyson Smith, Jukka Jylänki, Gustavo Grieco, Abhishek Arya, Ronald Crane, and Looben Yang as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-4473 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 CVE-2015-4473 Mozilla: Miscellaneous memory safety hazards (rv:38.2) (MFSA 2015-79) CVE-2015-4475 Mozilla: Out-of-bounds read with malformed MP3 file (MFSA 2015-80) CVE-2015-4478 Mozilla: Redefinition of non-configurable JavaScript object properties (MFSA 2015-82) CVE-2015-4479 CVE-2015-4480 CVE-2015-4493 Mozilla: Overflow issues in libstagefright (MFSA 2015-83) CVE-2015-4484 Mozilla: Crash when using shared memory in JavaScript (MFSA 2015-87) CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88) CVE-2015-4485 CVE-2015-4486 Mozilla: Buffer overflows on Libvpx when decoding WebM video (MFSA 2015-89) CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-90) CVE-2015-4492 Mozilla: Use-after-free in XMLHttpRequest with shared workers (MFSA 2015-92) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:1635: sqlite security update (Moderate) Red Hat Enterprise Linux 7 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. A flaw was found in the way SQLite handled dequoting of collation-sequence names. A local attacker could submit a specially crafted COLLATE statement that would crash the SQLite process, or have other unspecified impacts. (CVE-2015-3414) It was found that SQLite's sqlite3VdbeExec() function did not properly implement comparison operators. A local attacker could submit a specially crafted CHECK statement that would crash the SQLite process, or have other unspecified impacts. (CVE-2015-3415) It was found that SQLite's sqlite3VXPrintf() function did not properly handle precision and width values during floating-point conversions. A local attacker could submit a specially crafted SELECT statement that would crash the SQLite process, or have other unspecified impacts. (CVE-2015-3416) All sqlite users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3414 CVE-2015-3415 CVE-2015-3416 CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c CVE-2015-3415 sqlite: invalid free() in src/vdbe.c CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1636: net-snmp security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. (CVE-2015-5621) Red Hat would like to thank Qinghao Tang of QIHU 360 company, China for reporting this issue. All net-snmp users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-5621 CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1640: pam security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication. It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system. (CVE-2015-3238) Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for reporting this issue. All pam users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3238 CVE-2015-3238 pam: DoS/user enumeration due to blocking pipe in pam_unix module cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1665: mariadb security update (Moderate) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the "--ssl" option. A man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2015-3152) This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-0501, CVE-2015-2568, CVE-2015-0499, CVE-2015-2571, CVE-2015-0433, CVE-2015-0441, CVE-2015-0505, CVE-2015-2573, CVE-2015-2582, CVE-2015-2620, CVE-2015-2643, CVE-2015-2648, CVE-2015-4737, CVE-2015-4752, CVE-2015-4757) These updated packages upgrade MariaDB to version 5.5.44. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-3152 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 CVE-2015-4864 CVE-2015-0501 mysql: unspecified vulnerability related to Server:Compiling (CPU April 2015) CVE-2015-2568 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU April 2015) CVE-2015-0499 mysql: unspecified vulnerability related to Server:Federated (CPU April 2015) CVE-2015-2571 mysql: unspecified vulnerability related to Server:Optimizer (CPU April 2015) CVE-2015-0433 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU April 2015) CVE-2015-0441 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU April 2015) CVE-2015-0505 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015) CVE-2015-2573 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015) CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM) CVE-2015-2582 mysql: unspecified vulnerability related to Server:GIS (CPU July 2015) CVE-2015-2620 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU July 2015) CVE-2015-2643 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015) CVE-2015-2648 mysql: unspecified vulnerability related to Server:DML (CPU July 2015) CVE-2015-4737 mysql: unspecified vulnerability related to Server:Pluggable Auth (CPU July 2015) CVE-2015-4752 mysql: unspecified vulnerability related to Server:I_S (CPU July 2015) CVE-2015-4757 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015) cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1667: httpd security update (Moderate) Red Hat Enterprise Linux 7 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd service will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3183 CVE-2015-3185 CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1682: thunderbird security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-4473, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message because JavaScript is disabled by default for mail messages. However, they could be exploited in other ways in Thunderbird (for example, by viewing the full remote content of an RSS feed). Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Christian Holler, Byron Campen, Gustavo Grieco, and Ronald Crane as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.2. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.2, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4473 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4473 Mozilla: Miscellaneous memory safety hazards (rv:38.2) (MFSA 2015-79) CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88) CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-90) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1693: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-4497 CVE-2015-4498 CVE-2015-4497 Mozilla: Use-after-free when resizing canvas element during restyling (MFSA 2015-94) CVE-2015-4498 Mozilla: Add-on notification bypass through data URLs (MFSA 2015-95) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1694: gdk-pixbuf2 security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 gdk-pixbuf is an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter. An integer overflow, leading to a heap-based buffer overflow, was found in the way gdk-pixbuf, an image loading library for GNOME, scaled certain bitmap format images. An attacker could use a specially crafted BMP image file that, when processed by an application compiled against the gdk-pixbuf library, would cause that application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2015-4491) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Gustavo Grieco as the original reporter. All gdk-pixbuf2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-4491 CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1695: jakarta-taglibs-standard security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 jakarta-taglibs-standard is the Java Standard Tag Library (JSTL). This library is used in conjunction with Tomcat and Java Server Pages (JSP). It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: jakarta-taglibs-standard users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 All jakarta-taglibs-standard users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-0254 CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1699: nss-softokn security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way NSS verified certain ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. Under certain conditions, an attacker could use this flaw to conduct signature forgery attacks. (CVE-2015-2730) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Watson Ladd as the original reporter of this issue. All nss-softokn users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-2730 CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1700: pcs security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute arbitrary code with root privileges on the server hosting the web UI. (CVE-2015-5190) A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user. (CVE-2015-5189) These issues were discovered by Tomáš Jelínek of Red Hat. All pcs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2015 Red Hat, Inc. CVE-2015-5189 CVE-2015-5190 CVE-2015-5189 pcs: Incorrect authorization when using pcs web UI CVE-2015-5190 pcs: Command injection with root privileges. cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1705: bind security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed certain malformed DNSSEC keys. A remote attacker could use this flaw to send a specially crafted DNS query (for example, a query requiring a response from a zone containing a deliberately malformed key) that would cause named functioning as a validating resolver to crash. (CVE-2015-5722) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Hanno Böck as the original reporter. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-5722 CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1708: libXfont security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2015 Red Hat, Inc. CVE-2015-1802 CVE-2015-1803 CVE-2015-1804 CVE-2015-1802 libXfont: missing range check in bdfReadProperties CVE-2015-1803 libXfont: crash on invalid read in bdfReadCharacters CVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1714: spice security update (Important) Red Hat Enterprise Linux 7 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice's worker_update_monitors_config() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. (CVE-2015-3247) This issue was discovered by Frediano Ziglio of Red Hat. All spice users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-3247 CVE-2015-3247 spice: memory corruption in worker_update_monitors_config() cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1741: haproxy security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 HAProxy provides high availability, load balancing, and proxying for TCP and HTTP-based applications. An implementation error related to the memory management of request and responses was found within HAProxy's buffer_slow_realign() function. An unauthenticated remote attacker could possibly use this flaw to leak certain memory buffer contents from a past request or session. (CVE-2015-3281) All haproxy users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-3281 CVE-2015-3281 haproxy: information leak in buffer_slow_realign() cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1742: subversion security update (Moderate) Red Hat Enterprise Linux 7 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. (CVE-2015-0248) It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users. (CVE-2015-3184) It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. (CVE-2015-0251) It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved). (CVE-2015-3187) Red Hat would like to thank the Apache Software Foundation for reporting these issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael Pilato of CollabNet as the original reporter of CVE-2015-3184 and CVE-2015-3187 flaws. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0248 CVE-2015-0251 CVE-2015-3184 CVE-2015-3187 CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4 CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1778: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important) * Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important) * A flaw was found in the way the Linux kernel's ext4 file system handled the "page size > block size" condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate) * It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function. A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate) * An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low) Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering. This update also fixes several bugs. Refer to the following Knowledgebase article for further information: https://access.redhat.com/articles/1614563 All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-9585 CVE-2015-0275 CVE-2015-1333 CVE-2015-3212 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366 CVE-2014-9585 kernel: ASLR bruteforce possible for vdso library CVE-2015-0275 kernel: fs: ext4: fallocate zero range page size > block size BUG() CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation CVE-2015-1333 kernel: denial of service due to memory leak in add_key() cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1788: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important) * Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important) * A flaw was found in the way the Linux kernel's ext4 file system handled the "page size > block size" condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate) * It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function. A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate) * An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low) Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering. The kernel-rt packages have been upgraded to version 3.10.0-229.13.1, which provides a number of bug fixes and enhancements over the previous version, including: * Fix regression in scsi_send_eh_cmnd() * boot hangs at "Console: switching to colour dummy device 80x25" * Update tcp stack to 3.17 kernel * Missing some code from patch "(...) Fix VGA switcheroo problem related to hotplug" * ksoftirqd high CPU usage due to stray tasklet from ioatdma driver * During Live Partition Mobility (LPM) testing, RHEL 7.1 LPARs will crash in kmem_cache_alloc (BZ#1253809) This update also fixes the following bug: * The hwlat_detector.ko module samples the clock and records any intervals between reads that exceed a specified threshold. However, the module previously tracked the maximum interval seen for the "inner" interval but did not record when the "outer" interval was greater. A patch has been applied to fix this bug, and hwlat_detector.ko now correctly records if the outer interval is the maximal interval encountered during the run. (BZ#1252365) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2014-9585 CVE-2015-0275 CVE-2015-1333 CVE-2015-3212 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366 CVE-2014-9585 kernel: ASLR bruteforce possible for vdso library CVE-2015-0275 kernel: fs: ext4: fallocate zero range page size > block size BUG() CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation CVE-2015-1333 kernel: denial of service due to memory leak in add_key() kernel-rt: update to the RHEL7.1.z batch 5 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:1793: qemu-kvm security fix update (Moderate) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-5165 CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140) cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1834: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4500, CVE-2015-4506, CVE-2015-4509, CVE-2015-4511, CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180) Two information leak flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to disclose sensitive information or, in certain cases, crash. (CVE-2015-4519, CVE-2015-4520) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Khalil Zhani, Atte Kettunen, Ronald Crane, Mario Gomes, and Ehsan Akhgari as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.3.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-4500 CVE-2015-4506 CVE-2015-4509 CVE-2015-4511 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 CVE-2015-4500 Mozilla: Miscellaneous memory safety hazards (MFSA 2015-96) CVE-2015-4509 Mozilla: Use-after-free while manipulating HTML media content (MFSA 2015-106) CVE-2015-4506 Mozilla: Buffer overflow in libvpx while parsing vp9 format video (MFSA 2015-101) CVE-2015-4511 Mozilla: Buffer overflow while decoding WebM video (MFSA 2015-105) CVE-2015-4519 Mozilla: Dragging and dropping images exposes final URL after redirects (MFSA 2015-110) CVE-2015-4520 Mozilla: Errors in the handling of CORS preflight request headers (MFSA 2015-111) CVE-2015-4517 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-112) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:1840: openldap security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and documentation for OpenLDAP. A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain Basic Encoding Rules (BER) data. A remote attacker could use this flaw to crash slapd via a specially crafted packet. (CVE-2015-6908) All openldap users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-6908 CVE-2015-6908 openldap: ber_get_next denial of service vulnerability cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1852: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-4500, CVE-2015-4509, CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180) Two information leak flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to disclose sensitive information or, in certain cases, crash. (CVE-2015-4519, CVE-2015-4520) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message because JavaScript is disabled by default for mail messages. However, they could be exploited in other ways in Thunderbird (for example, by viewing the full remote content of an RSS feed). Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Ronald Crane, Mario Gomes, and Ehsan Akhgari as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.3.0 You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.3.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4500 CVE-2015-4509 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 CVE-2015-4500 Mozilla: Miscellaneous memory safety hazards (MFSA 2015-96) CVE-2015-4509 Mozilla: Use-after-free while manipulating HTML media content (MFSA 2015-106) CVE-2015-4519 Mozilla: Dragging and dropping images exposes final URL after redirects (MFSA 2015-110) CVE-2015-4520 Mozilla: Errors in the handling of CORS preflight request headers (MFSA 2015-111) CVE-2015-4517 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-112) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:1890: spice security update (Important) Red Hat Enterprise Linux 7 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host. (CVE-2015-5261) A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. (CVE-2015-5260) These issues were discovered by Frediano Ziglio of Red Hat. All spice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2015 Red Hat, Inc. CVE-2015-5260 CVE-2015-5261 CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash CVE-2015-5261 spice: host memory access from guest using crafted images cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1917: libwmf security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is used by applications such as GIMP and ImageMagick. It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. (CVE-2015-0848, CVE-2015-4588) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. (CVE-2015-4696) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. (CVE-2015-4695) All users of libwmf are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using libwmf must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 CVE-2015-0848 libwmf: heap overflow when decoding BMP images CVE-2015-4695 libwmf: heap buffer overread in meta.h CVE-2015-4696 libwmf: use-after-free flaw in meta.h CVE-2015-4588 libwmf: heap overflow within the RLE decoding of embedded BMP images cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1919: java-1.8.0-openjdk security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911) A flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. (CVE-2015-4868) It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. (CVE-2015-4872) Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4868 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392) CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) CVE-2015-4868 OpenJDK: CRL checking flaw (Libraries, 8081744) CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078) CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1920: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911) It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. (CVE-2015-4872) Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392) CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078) CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1930: ntp security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300) Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg of Boston University for reporting these issues. All ntp users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-5300 CVE-2015-7704 CVE-2015-7704 ntp: disabling synchronization via crafted KoD packet CVE-2015-5300 ntp: MITM attacker can force ntpd to make a step larger than the panic threshold cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1943: qemu-kvm security update (Moderate) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. (CVE-2015-1779) This issue was discovered by Daniel P. Berrange of Red Hat. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-1779 CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder qemu-kvm build failure race condition in tests/ide-test cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1977: kernel-rt security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the system. (CVE-2014-8559, Moderate) * A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate) The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat. The kernel-rt packages have been upgraded to version 3.10.0-229.20.1, which provides a number of bug fixes and enhancements over the previous version, including: * Unexpected completion is detected on Intel Ethernet x540 * Divide by zero error in intel_pstate_timer_func() [ inline s64 div_s64_rem() ] * NFS Recover from stateid-type error on SETATTR * pNFS RHEL 7.1 Data Server connection remains after umount due to lseg refcount leak * Race during NFS v4.0 recovery and standard IO. * Fix ip6t_SYNPROXY for namespaces and connection delay * synproxy window size and sequence number behaviour causes long connection delay * Crash in kmem_cache_alloc() during disk stress testing (using ipr) * xfs: sync/backport to upstream v4.1 * iscsi_session recovery_tmo revert back to default when a path becomes active * read from MD raid1 can fail if read from resync target fails * backport scsi-mq * unable to handle kernel paging request at 0000000000237037 [zswap] (BZ#1266915) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add this enhancement. The system must be rebooted for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8559 CVE-2015-5156 CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net kernel-rt: update to the RHEL7.1.z batch 6 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:1978: kernel security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the system. (CVE-2014-8559, Moderate) * A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate) The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat. This update also fixes several bugs and adds one enhancement. Refer to the following Knowledgebase article for further information: https://access.redhat.com/articles/2039563 All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8559 CVE-2015-5156 CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1979: libreswan security and enhancement update (Moderate) Red Hat Enterprise Linux 7 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN). A flaw was discovered in the way Libreswan's IKE daemon processed IKE KE payloads. A remote attacker could send specially crafted IKE payload with a KE payload of g^x=0 that, when processed, would lead to a denial of service (daemon crash). (CVE-2015-3240) This issue was discovered by Paul Wouters of Red Hat. Note: Please note that when upgrading from an earlier version of Libreswan, the existing CA certificates in the /etc/ipsec.d/cacerts/ directory and the existing certificate revocation list (CRL) files from the /etc/ipsec.d/crls/ directory are automatically imported into the NSS database. Once completed, these directories are no longer used by Libreswan. To install new CA certificates or new CRLS, the certutil and crlutil commands must be used to import these directly into the Network Security Services (NSS) database. This update also adds the following enhancements: * This update adds support for RFC 7383 IKEv2 Fragmentation, RFC 7619 Auth Null and ID Null, INVALID_KE renegotiation, CRL and OCSP support via NSS, AES_CTR and AES_GCM support for IKEv2, CAVS testing for FIPS compliance. In addition, this update enforces FIPS algorithms restrictions in FIPS mode, and runs Composite Application Validation System (CAVS) testing for FIPS compliance during package build. A new Cryptographic Algorithm Validation Program (CAVP) binary can be used to re-run the CAVS tests at any time. Regardless of FIPS mode, the pluto daemon runs RFC test vectors for various algorithms. Furthermore, compiling on all architectures now enables the "-Werror" GCC option, which enhances the security by making all warnings into errors. (BZ#1263346) * This update also fixes several memory leaks and introduces a sub-second packet retransmit option. (BZ#1268773) * This update improves migration support from Openswan to Libreswan. Specifically, all Openswan options that can take a time value without a suffix are now supported, and several new keywords for use in the /etc/ipsec.conf file have been introduced. See the relevant man pages for details. (BZ#1268775) * With this update, loopback support via the "loopback=" option has been deprecated. (BZ#1270673) All Libreswan users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3240 CVE-2015-3240 libreswan / openswan: denial of service via IKE daemon restart when receiving a bad DH gx value libreswan should support strictcrlpolicy alias for crl-strict= option to support openswan migration libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1981: nss, nss-util, and nspr security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182) A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183) Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE, PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuild against the fixed nspr packages to completely resolve the CVE-2015-7183 issue. This erratum includes nss and nss-utils packages rebuilt against the fixed nspr version. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Tyson Smith, David Keeler and Ryan Sleevi as the original reporter. All nss, nss-util and nspr users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2015 Red Hat, Inc. CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133) CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133) CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1982: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7197) A same-origin policy bypass flaw was found in the way Firefox handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Firefox to disclose sensitive information. (CVE-2015-7193) A same-origin policy bypass flaw was found in the way Firefox handled URLs containing IP addresses with white-space characters. This could lead to cross-site scripting attacks. (CVE-2015-7188) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong, Michał Bentkowski, Looben Yang, Shinto K Anto, Gustavo Grieco, Vytautas Staraitis, Ronald Crane, and Ehsan Akhgari as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.4.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-4513 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116) CVE-2015-7188 Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122) CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123) CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127) CVE-2015-7194 Mozilla: Memory corruption in libjar through zip files (MFSA 2015-128) CVE-2015-7196 Mozilla: JavaScript garbage collection crash with Java applet (MFSA 2015-130) CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131) CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2078: postgresql security update (Moderate) Red Hat Enterprise Linux 7 PostgreSQL is an advanced object-relational database management system (DBMS). A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. (CVE-2015-5288) A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input. (CVE-2015-5289) Please note that SSL renegotiation is now disabled by default. For more information, please refer to PostgreSQL's 2015-10-08 Security Update Release notes, linked to in the References section. All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-5288 CVE-2015-5289 CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt() CVE-2015-5289 postgresql: stack overflow DoS when parsing json or jsonb inputs cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2079: binutils security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The binutils packages provide a set of binary utilities. Multiple buffer overflow flaws were found in the libbdf library used by various binutils utilities. If a user were tricked into processing a specially crafted file with an application using the libbdf library, it could cause the application to crash or, potentially, execute arbitrary code. (CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8738) An integer overflow flaw was found in the libbdf library used by various binutils utilities. If a user were tricked into processing a specially crafted file with an application using the libbdf library, it could cause the application to crash. (CVE-2014-8484) A directory traversal flaw was found in the strip and objcopy utilities. A specially crafted file could cause strip or objdump to overwrite an arbitrary file writable by the user running either of these utilities. (CVE-2014-8737) This update fixes the following bugs: * Binary files started by the system loader could lack the Relocation Read-Only (RELRO) protection even though it was explicitly requested when the application was built. This bug has been fixed on multiple architectures. Applications and all dependent object files, archives, and libraries built with an alpha or beta version of binutils should be rebuilt to correct this defect. (BZ#1200138, BZ#1175624) * The ld linker on 64-bit PowerPC now correctly checks the output format when asked to produce a binary in another format than PowerPC. (BZ#1226864) * An important variable that holds the symbol table for the binary being debugged has been made persistent, and the objdump utility on 64-bit PowerPC is now able to access the needed information without reading an invalid memory region. (BZ#1172766) * Undesirable runtime relocations described in RHBA-2015:0974. (BZ#872148) The update adds these enhancements: * New hardware instructions of the IBM z Systems z13 are now supported by assembler, disassembler, and linker, as well as Single Instruction, Multiple Data (SIMD) instructions. (BZ#1182153) * Expressions of the form: "FUNC@localentry" to refer to the local entry point for the FUNC function (if defined) are now supported by the PowerPC assembler. These are required by the ELFv2 ABI on the little-endian variant of IBM Power Systems. (BZ#1194164) All binutils users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 CVE-2014-8484 binutils: invalid read flaw in libbfd CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections() CVE-2014-8501 binutils: out-of-bounds write when parsing specially crafted PE executable CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485) CVE-2014-8503 binutils: stack overflow in objdump when parsing specially crafted ihex file CVE-2014-8504 binutils: stack overflow in the SREC parser CVE-2014-8737 binutils: directory traversal vulnerability CVE-2014-8738 binutils: out of bounds memory write ppc64: segv in libbfd binutils: ld sporadically generates binaries without relro protection even when told so The binutils package contains the windmc(1) manual page but the utility is not included [aarch64][binutils] relocation truncated to fit: R_AARCH64_LD64_GOT_LO12_NC against cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2086: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911) It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. (CVE-2015-4872) Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392) CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078) CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:2088: openssh security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. (CVE-2015-6563) A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. (CVE-2015-6564) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) It was found that the OpenSSH ssh-agent, a program to hold private keys used for public key authentication, was vulnerable to password guessing attacks. An attacker able to connect to the agent could use this flaw to conduct a brute-force attack to unlock keys in the ssh-agent. (BZ#1238238) This update fixes the following bugs: * Previously, the sshd_config(5) man page was misleading and could thus confuse the user. This update improves the man page text to clearly describe the AllowGroups feature. (BZ#1150007) * The limit for the function for restricting the number of files listed using the wildcard character (*) that prevents the Denial of Service (DoS) for both server and client was previously set too low. Consequently, the user reaching the limit was prevented from listing a directory with a large number of files over Secure File Transfer Protocol (SFTP). This update increases the aforementioned limit, thus fixing this bug. (BZ#1160377) * When the ForceCommand option with a pseudoterminal was used and the MaxSession option was set to "2", multiplexed SSH connections did not work as expected. After the user attempted to open a second multiplexed connection, the attempt failed if the first connection was still open. This update modifies OpenSSH to issue only one audit message per session, and the user is thus able to open two multiplexed connections in this situation. (BZ#1199112) * The ssh-copy-id utility failed if the account on the remote server did not use an sh-like shell. Remote commands have been modified to run in an sh-like shell, and ssh-copy-id now works also with non-sh-like shells. (BZ#1201758) * Due to a race condition between auditing messages and answers when using ControlMaster multiplexing, one session in the shared connection randomly and unexpectedly exited the connection. This update fixes the race condition in the auditing code, and multiplexing connections now work as expected even with a number of sessions created at once. (BZ#1240613) In addition, this update adds the following enhancements: * As not all Lightweight Directory Access Protocol (LDAP) servers possess a default schema, as expected by the ssh-ldap-helper program, this update provides the user with an ability to adjust the LDAP query to get public keys from servers with a different schema, while the default functionality stays untouched. (BZ#1201753) * With this enhancement update, the administrator is able to set permissions for files uploaded using Secure File Transfer Protocol (SFTP). (BZ#1197989) * This update provides the LDAP schema in LDAP Data Interchange Format (LDIF) format as a complement to the old schema previously accepted by OpenLDAP. (BZ#1184938) * With this update, the user can selectively disable the Generic Security Services API (GSSAPI) key exchange algorithms as any normal key exchange. (BZ#1253062) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 pam_namespace usage is not consistent across system-wide PAM configuration sftp is failing using wildcards and many files Default selinux policy prevents ssh-ldap-helper from connecting to LDAP server No Documentation= line in the sshd.service file Provide LDIF version of LPK schema sshd -T does not show all (default) options, inconsistency ssh client using HostbasedAuthentication aborts in FIPS mode RFE: option to let openssh/sftp force the exact permissions on newly uploaded files openssh: weakness of agent locking (ssh-add -x) to password guessing CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices CVE-2015-6563 openssh: Privilege separation weakness related to PAM support CVE-2015-6564 openssh: Use-after-free bug related to PAM support cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2101: python security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs: * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an "Invalid argument" error. Subprocesses have been fixed to close the file descriptors only once. (BZ#1103452) * When importing the readline module from a Python script, Python no longer produces erroneous random characters on stdout. (BZ#1189301) * The cProfile utility has been fixed to print all values that the "-s" option supports when this option is used without a correct value. (BZ#1237107) * The load_cert_chain() function now accepts "None" as a keyfile argument. (BZ#1250611) In addition, this update adds the following enhancements: * Security enhancements as described in PEP 466 have been backported to the Python standard library, for example, new features of the ssl module: Server Name Indication (SNI) support, support for new TLSv1.x protocols, new hash algorithms in the hashlib module, and many more. (BZ#1111461) * Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl library. (BZ#1192015) * The ssl.SSLSocket.version() method is now available to access information about the version of the SSL protocol used in a connection. (BZ#1259421) All python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2013-1752 CVE-2013-1753 CVE-2014-4616 CVE-2014-4650 CVE-2014-7185 CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib tmpwatch removes python multiprocessing sockets CVE-2014-4616 python: missing boundary check in JSON module CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476) setup.py bdist_rpm NameError: global name 'get_python_version' is not defined multiprocessing BaseManager serve_client() does not check EINTR on recv cProfile main() traceback if options syntax is invalid SSLContext.load_cert_chain() keyfile argument can't be set to None Backport SSLSocket.version() to python 2.7.5 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2108: cpio security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another. A heap-based buffer overflow flaw was found in cpio's list_file() function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash cpio, or potentially lead to arbitrary code execution. (CVE-2014-9112) This update fixes the following bugs: * Previously, during archive creation, cpio internals did not detect a read() system call failure. Based on the premise that the call succeeded, cpio terminated unexpectedly with a segmentation fault without processing further files. The underlying source code has been patched, and an archive is now created successfully. (BZ#1138148) * Previously, running the cpio command without parameters on Red Hat Enterprise Linux 7 with Russian as the default language resulted in an error message that was not accurate in Russian due to an error in spelling. This has been corrected and the Russian error message is spelled correctly. (BZ#1075513) All cpio users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9112 [PATCH] Typo in ru.po CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file() cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2111: grep security and bug fix update (Low) Red Hat Enterprise Linux 7 The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. The GNU grep utilities include grep, egrep, and fgrep. A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory. (CVE-2015-1345) This update also fixes the following bugs: * Prior to this update, the \w and \W symbols were inconsistently matched to the [:alnum:] character class. Consequently, using regular expressions with "\w" and "\W" could lead to incorrect results. With this update, "\w" is consistently matched to the [_[:alnum:]] character, and "\W" is consistently matched to the [^_[:alnum:]] character. (BZ#1159012) * Previously, the Perl Compatible Regular Expression (PCRE) matcher (selected by the "-P" parameter in grep) did not work correctly when matching non-UTF-8 text in UTF-8 locales. Consequently, an error message about invalid UTF-8 byte sequence characters was returned. To fix this bug, patches from upstream have been applied to the grep utility. As a result, PCRE now skips non-UTF-8 characters as non-matching text without returning any error message. (BZ#1217080) All grep users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2015 Red Hat, Inc. CVE-2015-1345 undocumented option --fixed-regexp inconsistent \w and [[:alnum:]] behaviour CVE-2015-1345 grep: heap buffer overrun cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2131: openldap security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 OpenLDAP is an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings. As a result, OpenLDAP could potentially use ciphers that were not intended to be enabled. (CVE-2015-3276) This issue was discovered by Martin Poole of the Red Hat Software Maintenance Engineering group. The openldap packages have been upgraded to upstream version 2.4.40, which provides a number of bug fixes and one enhancement over the previous version: * The ORDERING matching rules have been added to the ppolicy attribute type descriptions. * The server no longer terminates unexpectedly when processing SRV records. * Missing objectClass information has been added, which enables the user to modify the front-end configuration by standard means. (BZ#1147982) This update also fixes the following bugs: * Previously, OpenLDAP did not properly handle a number of simultaneous updates. As a consequence, sending a number of parallel update requests to the server could cause a deadlock. With this update, a superfluous locking mechanism causing the deadlock has been removed, thus fixing the bug. (BZ#1125152) * The httpd service sometimes terminated unexpectedly with a segmentation fault on the libldap library unload. The underlying source code has been modified to prevent a bad memory access error that caused the bug to occur. As a result, httpd no longer crashes in this situation. (BZ#1158005) * After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7, symbolic links to certain libraries unexpectedly pointed to locations belonging to the openldap-devel package. If the user uninstalled openldap-devel, the symbolic links were broken and the "rpm -V openldap" command sometimes produced errors. With this update, the symbolic links no longer get broken in the described situation. If the user downgrades openldap to version 2.4.39-6 or earlier, the symbolic links might break. After such downgrade, it is recommended to verify that the symbolic links did not break. To do this, make sure the yum-plugin-verify package is installed and obtain the target libraries by running the "rpm -V openldap" or "yum verify openldap" command. (BZ#1230263) In addition, this update adds the following enhancement: * OpenLDAP clients now automatically choose the Network Security Services (NSS) default cipher suites for communication with the server. It is no longer necessary to maintain the default cipher suites manually in the OpenLDAP source code. (BZ#1245279) All openldap users are advised to upgrade to these updated packages, which correct these issues and add this enhancement. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8182 CVE-2015-3276 Rebase openldap to 2.4.40 OpenLDAP crash in NSS shutdown handling pwdChecker library requires version in pwdCheckModule attribute values for pwdChecker are not set to default values openldap: crash in ldap_domain2hostlist when processing SRV records slaptest doesn't convert perlModuleConfig lines openldap-servers leverages 'find' from findutils which is not a dep of the rpm olcDatabase in olcFrontend attribute incorrect/faulty rpm -V openldap complains automount via ldap with TLS/SSL support is not working CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing OpenLDAP doesn't use sane (or default) cipher order cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2140: libssh2 security and bug fix update (Low) Red Hat Enterprise Linux 7 The libssh2 packages provide a library that implements the SSH2 protocol. A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client. (CVE-2015-1782) This update also fixes the following bugs: * Previously, libssh2 did not correctly adjust the size of the receive window while reading from an SSH channel. This caused downloads over the secure copy (SCP) protocol to consume an excessive amount of memory. A series of upstream patches has been applied on the libssh2 source code to improve handling of the receive window size. Now, SCP downloads work as expected. (BZ#1080459) * Prior to this update, libssh2 did not properly initialize an internal variable holding the SSH agent file descriptor, which caused the agent destructor to close the standard input file descriptor by mistake. An upstream patch has been applied on libssh2 sources to properly initialize the internal variable. Now, libssh2 closes only the file descriptors it owns. (BZ#1147717) All libssh2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. Low Copyright 2015 Red Hat, Inc. CVE-2015-1782 free'ing a not-connected agent closes STDIN CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2151: xfsprogs security, bug fix and enhancement update (Low) Red Hat Enterprise Linux 7 The xfsprogs packages contain a set of commands to use the XFS file system, including the mkfs.xfs command to construct an XFS system. It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information. (CVE-2012-2150) The xfsprogs packages have been upgraded to upstream version 3.2.2, which provides a number of bug fixes and enhancements over the previous version. This release also includes updates present in upstream version 3.2.3, although it omits the mkfs.xfs default disk format change (for metadata checksumming) which is present upstream. (BZ#1223991) Users of xfsprogs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. Low Copyright 2015 Red Hat, Inc. CVE-2012-2150 CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw xfs_repair verify the last secondary superblock corruption failed Rebase xfsprogs to 3.2.3 (pending upstream) cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2152: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low) Important Copyright 2015 Red Hat, Inc. CVE-2010-5313 CVE-2013-7421 CVE-2014-3647 CVE-2014-7842 CVE-2014-8171 CVE-2014-9419 CVE-2014-9644 CVE-2015-0239 CVE-2015-2925 CVE-2015-3288 CVE-2015-3339 CVE-2015-4170 CVE-2015-5283 CVE-2015-6526 CVE-2015-7613 CVE-2015-7837 CVE-2015-8215 CVE-2016-0774 ext4: ext4 driver should reject nonsensical mount options for ext2 and ext3 Test case failure: Outputs - DVI on Radeon HD 7850 [1002:6819] Test case failure: Multihead - Large Desktop on Radeon HD 7850 [1002:6819] Test case failure: Panning on Radeon HD 7850 [1002:6819] Test case failure: Screen - Change Monitors on Radeon HD 7850 [1002:6819] Test case failure: KMS - Log out after suspend/resume on AMD/ATI Kaveri [1002:1304] PXE boot 5-10x slower in RHEL due to invalid guest state emulation clock_nanosleep returns early with TIMER_ABSTIME No RHGB on some new ATI hardware Test case failure: KMS - Log out after suspend/resume on ATI Pitcairn PRO [Radeon HD 7850] [1002:6819] CVE-2014-3647 kernel: kvm: noncanonical rip after emulation CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak partition scan in losetup does not succeed when bound repeatedly Dynamic tickless feature not working in RHEL7 KVM guest CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module() [thinkpad] Support the Lenovo early 2015 models touchpad (X1 Carbon 3rd, T450, W541) CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module() DM RAID - Add support for 'raid0' mappings to device-mapper raid target CVE-2014-8171 kernel: memcg: OOM handling DoS Busy loop in recv(MSG_PEEK|MSG_WAITALL) Intel 9-series PCH chipset ACS quirks CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts CVE-2015-3339 kernel: race condition between chown() and execve() CVE-2015-6526 kernel: perf on ppc64 can loop forever getting userlevel stacktraces CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown. RHEL7: repeated NFS4 server untainted kernel panic with RIP locks_in_grace called from nfsd4_process_open2, xfs used as export for diskless NFS clients CVE-2015-7837 kernel: securelevel disabled after kexec [rhel-7.2] [targetcli] cannot discover iSCSI target with IPv6 Lenovo W541 Xorg freezes when mini display port cable is plugged in - 3.10.0-267.el7 WARNING: at drivers/gpu/drm/drm_dp_mst_topology.c:1272 process_single_tx_qlock+0x4b6/0x540 [drm_kms_helper]() CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm [nfs] writing to a udp6 mount results in a lockup CVE-2015-7837 kernel: securelevel disabled after kexec cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2154: krb5 security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889) Notably, this update fixes the following bugs: * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586) * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message: No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454) All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-5355 CVE-2015-2694 krb5 upstream test t_kdb.py failure kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 Upstream unit tests loads the installed shared libraries instead the ones from the build Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ... CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass [SELinux] AVC denials may appear when kadmind starts [RFE] Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ("A Generalized Framework for Kerberos Pre-Authentication") krb5-config returns wrong -specs path RFE: Minor krb5 spec file cleanup and sync with recent Fedora 22/23 changes [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL KDC sends multiple requests to ipa-otpd for the same authentication KDC does not return proper client principal for client referrals cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2155: file security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format (ELF) binary files, system libraries, RPM packages, and different graphics formats. Multiple denial of service flaws were found in the way file parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file. (CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3587) Two flaws were found in the way file processed certain Pascal strings. A remote attacker could cause file to crash if it was used to identify the type of the attacker-supplied file. (CVE-2014-3478, CVE-2014-9652) Multiple flaws were found in the file regular expression rules for detecting various files. A remote attacker could use these flaws to cause file to consume an excessive amount of CPU. (CVE-2014-3538) Multiple flaws were found in the way file parsed Executable and Linkable Format (ELF) files. A remote attacker could use these flaws to cause file to crash, disclose portions of its memory, or consume an excessive amount of system resources. (CVE-2014-3710, CVE-2014-8116, CVE-2014-8117, CVE-2014-9653) Red Hat would like to thank Thomas Jarosch of Intra2net AG for reporting the CVE-2014-8116 and CVE-2014-8117 issues. The CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3710 issues were discovered by Francisco Alonso of Red Hat Product Security; the CVE-2014-3538 issue was discovered by Jan Kaluža of the Red Hat Web Stack Team The file packages have been updated to ensure correct operation on Power little endian and ARM 64-bit hardware architectures. (BZ#1224667, BZ#1224668, BZ#1157850, BZ#1067688). All file users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538 CVE-2014-3587 CVE-2014-3710 CVE-2014-8116 CVE-2014-8117 CVE-2014-9652 CVE-2014-9653 back out patch to MAXDESC CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check file reports JPEG image as 'Minix filesystem' CVE-2014-0238 file: CDF property info parsing nelements infinite loop CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS CVE-2014-3538 file: unrestricted regular expression matching CVE-2014-3480 file: cdf_count_chain insufficient boundary check CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check CVE-2014-3487 file: cdf_read_property_info insufficient boundary check CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info CVE-2014-3710 file: out-of-bounds read in elf note headers File command does not recognize kernel images on ppc64le file command does not display "from" field correctly when run on 32 bit ppc core file too many spaces ... CVE-2014-8116 file: multiple denial of service issues (resource consumption) CVE-2014-8117 file: denial of service issue (resource consumption) CVE-2014-9652 file: out of bounds read in mconvert() CVE-2014-9653 file: malformed elf file causes access to uninitialized memory aarch64: "file" fails to get the whole information of the new swap partition ppc64le: "file" fails to get the whole information of the new swap partition BuildID[sha1] sum is architecture dependent cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2159: curl security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotatiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specifc way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes: * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements: * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 Difference in curl performance between RHEL6 and RHEL7 CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain curl: Disable out-of-protocol fallback to SSL 3.0 CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS Response headers added by proxy servers missing in CURLINFO_HEADER_SIZE NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth [RHEL-7] use the default min/max TLS version provided by NSS CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn() CVE-2015-3143 curl: re-using authenticated connection when unauthenticated CVE-2015-3148 curl: Negotiate not treated as connection-oriented Performance problem with libcurl and FTP on RHEL7.X cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2172: glibc security update (Important) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents) in certain cases. A local attacker could potentially use this flaw to escalate their privileges. (CVE-2015-5277) This issue was discovered by Sumit Bose and Lukáš Slebodník of Red Hat. All glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2015 Red Hat, Inc. CVE-2015-5277 CVE-2015-5277 glibc: data corruption while reading the NSS files database cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2180: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably. Thor is a toolkit for building powerful command-line interfaces. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem. (CVE-2013-0334) Bundler has been upgraded to upstream version 1.7.8 and Thor has been upgraded to upstream version 1.19.1, both of which provide a number of bug fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921) All rubygem-bundler and rubygem-thor users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2013-0334 CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source other than expected Bundler can't see its dependencies after Bundler.setup [rhel-7] Update Bundler to the latest release Update Thor to the latest release cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2184: realmd security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The realmd DBus system service manages discovery of and enrollment in realms and domains, such as Active Directory or Identity Management (IdM). The realmd service detects available domains, automatically configures the system, and joins it as an account to a domain. A flaw was found in the way realmd parsed certain input when writing configuration into the sssd.conf or smb.conf file. A remote attacker could use this flaw to inject arbitrary configurations into these files via a newline character in an LDAP response. (CVE-2015-2704) It was found that the realm client would try to automatically join an active directory domain without authentication, which could potentially lead to privilege escalation within a specified domain. (BZ#1205751) The realmd packages have been upgraded to upstream version 0.16.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1174911) This update also fixes the following bugs: * Joining a Red Hat Enterprise Linux machine to a domain using the realm utility creates /home/domainname/[username]/ directories for domain users. Previously, SELinux labeled the domain users' directories incorrectly. As a consequence, the domain users sometimes experienced problems with SELinux policy. This update modifies the realmd service default behavior so that the domain users' directories are compatible with the standard SELinux policy. (BZ#1241832) * Previously, the realm utility was unable to join or discover domains with domain names containing underscore (_). The realmd service has been modified to process underscores in domain names correctly, which fixes the described bug. (BZ#1243771) In addition, this update adds the following enhancement: * The realmd utility now allows the user to disable automatic ID mapping from the command line. To disable the mapping, pass the "--automatic-id-mapping=no" option to the realmd utility. (BZ#1230941) All realmd users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-2704 realm command crashes when no input password Rebase to 0.16.x realmd: unauthenticated Active Directory join CVE-2015-2704 realmd: untrusted data is used when configuring sssd.conf and/or smb.conf Wrong SELinux label on domain users home folders realm fails to join domain names with underscore in name net ads keytab add fails on system joined to AD with RHEL 7.2 realm join cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2199: glibc security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. (CVE-2013-7423) A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1781) A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473) An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. An attacker able to make an application call this function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (BZ#1195762) A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application. (BZ#1197730) The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat. These updated glibc packages also include numerous bug fixes and one enhancement. Space precludes documenting all of these changes in this advisory. For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal: https://access.redhat.com/articles/2050743 All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2013-7423 CVE-2015-1472 CVE-2015-1473 CVE-2015-1781 Test suite failure: test-ldouble getaddrinfo return EAI_NONAME instead of EAI_AGAIN in case the DNS query times out calloc in dl-reloc.c computes size incorrectly CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf glibc: _IO_wstr_overflow integer overflow glibc: potential denial of service in internal_fnmatch() CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer glibc deadlock when printing backtrace from memory allocator CVE-2015-1473 glibc: Stack-overflow in glibc swscanf Missing define for TCP_USER_TIMEOUT in netinet/tcp.h [RFE] Unconditionally enable SDT probes in glibc builds. cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2231: ntp security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. (CVE-2014-9298, CVE-2014-9751) A denial of service flaw was found in the way NTP hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1799) A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. (CVE-2015-3405) A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. When an NTP client decrypted a secret received from an NTP server, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750) It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key. (CVE-2015-1798) The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav Lichvár of Red Hat. Bug fixes: * The ntpd service truncated symmetric keys specified in the key file to 20 bytes. As a consequence, it was impossible to configure NTP authentication to work with peers that use longer keys. With this update, the maximum key length has been changed to 32 bytes. (BZ#1191111) * The ntpd service could previously join multicast groups only when starting, which caused problems if ntpd was started during system boot before network was configured. With this update, ntpd attempts to join multicast groups every time network configuration is changed. (BZ#1207014) * Previously, the ntp-keygen utility used the exponent of 3 when generating RSA keys. Consequently, generating RSA keys failed when FIPS mode was enabled. With this update, ntp-keygen has been modified to use the exponent of 65537, and generating keys in FIPS mode now works as expected. (BZ#1191116) * The ntpd service dropped incoming NTP packets if their source port was lower than 123 (the NTP port). With this update, ntpd no longer checks the source port number, and clients behind NAT are now able to correctly synchronize with the server. (BZ#1171640) Enhancements: * This update adds support for configurable Differentiated Services Code Points (DSCP) in NTP packets, simplifying configuration in large networks where different NTP implementations or versions are using different DSCP values. (BZ#1202828) * This update adds the ability to configure separate clock stepping thresholds for each direction (backward and forward). Use the "stepback" and "stepfwd" options to configure each threshold. (BZ#1193154) * Support for nanosecond resolution has been added to the Structural Health Monitoring (SHM) reference clock. Prior to this update, when a Precision Time Protocol (PTP) hardware clock was used as a time source to synchronize the system clock, the accuracy of the synchronization was limited due to the microsecond resolution of the SHM protocol. The nanosecond extension in the SHM protocol now allows sub-microsecond synchronization of the system clock. (BZ#1117702) All ntp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 SHM refclock doesn't support nanosecond resolution SHM refclock allows only two units with owner-only access NTP drops requests when sourceport is below 123 ntp: mreadvar command crash in ntpq CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1 CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated ntpd should warn when monitoring facility can't be disabled due to restrict configuration ntpd -x steps clock on leap second permit differential fwd/back threshold for step vs. slew [PATCH] CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2233: tigervnc security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. The tigervnc packages contain a client which allows users to connect to other desktops running a VNC server. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way TigerVNC handled screen sizes. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client. (CVE-2014-8240) A NULL pointer dereference flaw was found in TigerVNC's XRegion. A malicious VNC server could use this flaw to cause a client to crash. (CVE-2014-8241) The tigervnc packages have been upgraded to upstream version 1.3.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1199453) This update also fixes the following bug: * The position of the mouse cursor in the VNC session was not correctly communicated to the VNC viewer, resulting in cursor misplacement. The method of displaying the remote cursor has been changed, and cursor movements on the VNC server are now accurately reflected on the VNC client. (BZ#1100661) All tigervnc users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8240 CVE-2014-8241 vnc black screen and error 'XRequest.130: BadValue (integer parameter out of range for operation) 0x400' VNC-EXTENSION missed on Xorg server regeneration CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling CVE-2014-8241 tigervnc: NULL pointer dereference flaw in XRegion tigervnc-server has no IPV6 support gnome 3 session inside vncserver changes initial resolution instead of using what was specified from "-geometry Rebuild tigervnc against rebased xserver in 7.2 The display number is not required in the file name for VNC Enable Xinerama extension Re-base to tigervnc-1.3.x cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2237: rest security update (Low) Red Hat Enterprise Linux 7 The rest library was designed to make it easier to access web services that claim to be RESTful. A RESTful service should have URLs that represent remote objects, which methods can then be called on. It was found that the OAuth implementation in librest, a helper library for RESTful services, incorrectly truncated the pointer returned by the rest_proxy_call_get_url call. An attacker could use this flaw to crash an application using the librest library. (CVE-2015-2675) All users of rest are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using librest must be restarted for the update to take effect. Low Copyright 2015 Red Hat, Inc. CVE-2015-2675 Memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2241: chrony security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) These issues were discovered by Miroslav Lichvár of Red Hat. The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include: * Updated to NTP version 4 (RFC 5905) * Added pool directive to specify pool of NTP servers * Added leapsecmode directive to select how to correct clock for leap second * Added smoothtime directive to smooth served time and enable leap smear * Added asynchronous name resolving with POSIX threads * Ready for year 2036 (next NTP era) * Improved clock control * Networking code reworked to open separate client sockets for each NTP server (BZ#1117882) This update also fixes the following bug: * The chronyd service previously assumed that network interfaces specified with the "bindaddress" directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts. (BZ#1169353) In addition, this update adds the following enhancement: * The chronyd service now supports four modes of handling leap seconds, configured using the "leapsecmode" option. The clock can be either stepped by the kernel (the default "system" mode), stepped by chronyd ("step" mode), slowly adjusted by slewing ("slew" mode), or the leap second can be ignored and corrected later in normal operation ("ignore" mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the "maxslewrate" option. (BZ#1206504) All chrony users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-1821 CVE-2015-1822 CVE-2015-1853 rebase chrony to 2.1.1 Chronyd not starting with bindaddress option set to bond interface RFE: option to correct clock for leap second by slewing RFE: add option for leap smear CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks CVE-2015-1821 chrony: Heap out of bound write in address filter CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots RFE: add support for SRV _ntp._udp resolution Use iburst option for NTP servers from DHCP cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2248: netcf security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The netcf packages contain a library for modifying the network configuration of a system. Network configuration is expressed in a platform-independent XML format, which netcf translates into changes to the system's "native" network configuration files. A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash. (CVE-2014-8119) This issue was discovered by Hao Liu of Red Hat. The netcf packages have been upgraded to upstream version 0.2.8, which provides a number of bug fixes and enhancements over the previous version. (BZ#1206680) Users of netcf are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8119 Bad parsing of network-scripts/ifcfg-xxxx files. Need to limit names of new interfaces to IFNAMSIZ netcf should allow interfaces to be configured with both DHCPv4 and static IPv4 addresses at the same time netcf ignores any IPv4 address past the first one Remove extraneous single quotes from IPV6ADDR_SECONDARIES CVE-2014-8119 netcf: augeas path expression injection via interface name rebase netcf for RHEL7.2 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2290: pcs security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The pcs package provides a configuration tool for Corosync and Pacemaker. It permits users to easily view, modify and create Pacemaker based clusters. The pcs package includes Rack, which provides a minimal interface between webservers that support Ruby and Ruby frameworks. A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225) Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter. The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version. (BZ#1198265) The following enhancements are described in more detail in the Red Hat Enterprise Linux 7.2 Release Notes, linked to from the References section: * The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior (BZ#1201452) * New command to move a Pacemaker resource to its preferred node (BZ#1122818) This update also fixes the following bugs: * Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed. (BZ#1158537) * Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it. (BZ#1218979) * When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first "=" character. This update fixes the bug and now the web UI displays lists of resource attributes correctly. (BZ#1243579) * The documentation for the "pcs stonith confirm" command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the "pcs stonith confirm" command is now more clearly explained. (BZ#1245264) * Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message "Node is not authenticated". With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary. (BZ#1158569) * Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently. (BZ#1189857) In addition, this update adds the following enhancements: * A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI. (BZ#1158566) * With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down. (BZ#1158577) * The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters. (BZ#1158571) All pcs users are advised to upgrade to this updated package, which corrects these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3225 Provide documentation of batch-limit and other pacemaker properties in man page or pcs help pcs needs a better parser for corosync.conf Pcsd backward/forward compatibility issues 'pcs cluster status' is documented to be an alias to 'pcs status cluster' but has different output Removing a resource from a group also removes constraints mentioning that group user and group support in gui - permissions to clusters managed by pcsd [RFE] Default corosync configuration should log to file nodes authentication stops if failed on one node pcs CLI should recognize and act upon "fail due to lack of authentication" state if/as suitable (e.g. for "pcs config restore") 'pcs acl role create' does not check syntax properly pcs cluster auth --force doesn't overwrite /var/lib/pcsd/tokens if its content is corrupt pcs resource op add creates duplicate op entires Pacemaker resource defaults should show up in 'pcs config' output A cloned resource banned on one of the nodes is shown as Inactive in GUI When attempting to add a duplicate fence level we get a non-useful error message Unable to find out value for require-all parameter for ordering constraint with clones Unable to delete VirtualDomain resource remote-node when it has configured some constraints debug-promote implementation cluster node removal should verify possible loss of quorum Uncloning a non-cloned resource produces invalid CIB ungrouping a resource from a cloned group produces invalid CIB when other resources exist in that group The --wait functionality implementation needs an overhaul need a tree view for clones/MS/groups in the resource panel [GUI] pcs cluster start should go to pcsd if user is not root pcs does not inform about incorrect command usage (pcs constraint order set) pcsd: GUI fails if orphaned resource is present in a cluster PCS Rebase bug for 7.2 pcsd: don't automatically use --force everytime a resource is being removed [WebUI] spaces not allowed in resource agent options fields creating a resource name colliding with an existing group/clone/master ID needs better error message Referencing a non-existent ACL role should error out more gracefully pcs: stonith level value checking pcsd gui is not able to remove constraints and standby/unstandby nodes of remote cluster Formatting of longdesc metadata of resource agent is destroyed when using "pcs resource describe" pcs stonith describe only lists parameters of fence agent, but not description Need a way for pcs to clear out auth tokens better integration with standalone (unbundled) clufter package for cluster configuration conversion Cluster request fails on first node if this is not authorized pcsd: GUI ignores timeout value in fence_xvm agent form [gui] resource optional arguments: quoted strings missing pcs ought to require psmisc package (hidden dependency for killall execution) CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() Nagios metadata is missing pcs depends on initscripts traceback when running 'pcs resource enable clvmd --wait' pcs status pcsd shows "Unable to authenticate" on serial console pcs should print the output of crm_resource from pcs resource cleanup commands Ruby traceback on pcsd startup - /webrick.rb:48:in `shutdown': undefined method `shutdown' pcs is not parsing the output of crm_node properly A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2315: NetworkManager security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs (Router Advertisements), without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of service attack, by sending a specially crafted IPv6 RA packet to disturb IPv6 communication. (CVE-2015-0272) A flaw was found in the way NetworkManager handled router advertisements. An unprivileged user on a local network could use IPv6 Neighbor Discovery ICMP to broadcast a non-route with a low hop limit, causing machines to lower the hop limit on existing IPv6 routes. If this limit is small enough, IPv6 packets would be dropped before reaching the final destination. (CVE-2015-2924) The network-manager-applet and NetworkManager-libreswan packages have been upgraded to upstream versions 1.0.6, and provide a number of bug fixes and enhancements over the previous versions. (BZ#1177582, BZ#1243057) Bugs: * It was not previously possible to set the Wi-Fi band to the "a" or "bg" values to lock to a specific frequency band. NetworkManager has been fixed, and it now sets the wpa_supplicant's "freq_list" option correctly, which enables proper Wi-Fi band locking. (BZ#1254461) * NetworkManager immediately failed activation of devices that did not have a carrier early in the boot process. The legacy network.service then reported activation failure. Now, NetworkManager has a grace period during which it waits for the carrier to appear. Devices that have a carrier down for a short time on system startup no longer cause the legacy network.service to fail. (BZ#1079353) * NetworkManager brought down a team device if the teamd service managing it exited unexpectedly, and the team device was deactivated. Now, NetworkManager respawns the teamd instances that disappear and is able to recover from a teamd failure avoiding disruption of the team device operation. (BZ#1145988) * NetworkManager did not send the FQDN DHCP option even if host name was set to FQDN. Consequently, Dynamic DNS (DDNS) setups failed to update the DNS records for clients running NetworkManager. Now, NetworkManager sends the FQDN option with DHCP requests, and the DHCP server is able to create DNS records for such clients. (BZ#1212597) * The command-line client was not validating the vlan.flags property correctly, and a spurious warning message was displayed when the nmcli tool worked with VLAN connections. The validation routine has been fixed, and the warning message no longer appears. (BZ#1244048) * NetworkManager did not propagate a media access control (MAC) address change from a bonding interface to a VLAN interface on top of it. Consequently, a VLAN interface on top of a bond used an incorrect MAC address. Now, NetworkManager synchronizes the addresses correctly. (BZ#1264322) Enhancements: * IPv6 Privacy extensions are now enabled by default. NetworkManager checks the per-network configuration files, NetworkManager.conf, and then falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" to determine and set IPv6 privacy settings at device activation. (BZ#1187525) * The NetworkManager command-line tool, nmcli, now allows setting the wake-on-lan property to 0 ("none", "disable", "disabled"). (BZ#1260584) * NetworkManager now provides information about metered connections. (BZ#1200452) * NetworkManager daemon and the connection editor now support setting the Maximum Transmission Unit (MTU) of a bond. It is now possible to change MTU of a bond interface in a GUI. (BZ#1177582, BZ#1177860) * NetworkManager daemon and the connection editor now support setting the MTU of a team, allowing to change MTU of a teaming interface. (BZ#1255927) NetworkManager users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-0272 CVE-2015-2924 PIN/Password dialog for Mobile Broadband forces user to enter password, even if it's not needed NetworkManager should provide a way to reload a configuration and to refresh resolv.conf if necessary [RFE] Improve handling of DEVICE and HWADDR in nm-connection-editor Persistent wake on lan across reboot veth device goes down when ipv4 dhcp lease expires nmcli hangs when deleting profile two times [nmcli] Can't add certificate blob via nmcli as description states ipv6.method shared prevents connection from being upped Attaching a team device to a bridge doesn't work. Enable privacy extensions by default CVE-2015-0272 kernel/NetworkManager: remote DoS using IPv6 RA with bogus MTU feature request: Indicate 2ghz and 5ghz wifi device capabilities feature request: provide information about metered connections [PATCH] fix a configure-and-quit=yes bug when DHCP client ID is set and hostname is not given Continuous IPv6 router solicitation loop CVE-2015-2924 NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements high cpu use with many IPv6 cloned routes _nl_get_vtable: assertion 'vtable.handle' failed [bluez5] add DUN support to nm-connection-editor libreswan vpn is not working Update to NetworkManager-openswan/libreswan 1.0.6 or later NetworkManager support for secondary IPv6 addresses dhclient is terminated and won't start after restart NetworkManager NetworkManager doesn't handle MTU correctly Updating IPv4 address lifetime causes VPN disconnection Can activate a DUN connection only once segfault while trying to connect to VPN Netlink error at 'link_change' function when net interface dynamic plug out and plug in on Xen Wi-Fi band-locking doesn't work Dialog run by nm-connection-editor --create --type=vlan doesn't offer connections (eg bond) as parents NetworkManager quits prematurely with "configure-and-quit" ipv6 dns set even if ipv6.ignore-auto-dns set yes no network on xen guests: Error: Connection activation failed: No suitable device found for this connection. cannot add adsl type connection backport upstream bugfix to platform handling links in different netns (IFLA_LINK_NETNSID) libnm-gtk: fix a possible crash in functions handling password entry libnm-gtk: remove underscore from tooltip and use symbolic icons for password location icons NetworkManager segfault on_bss_proxy_acquired fix crash in nmtui when requesting password 20 seconds timeout is not sufficient for VPN password entry no more vpn dialog after previous canceling vpn password request still visible after timeout (3 mins) Fix regression detecting s390 CTC devices cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2345: net-snmp security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. A denial of service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash. (CVE-2014-3565) This update also fixes the following bugs: * Previously, the clientaddr option in the snmp.conf file affected outgoing messages sent only over IPv4. With this release, outgoing IPv6 messages are correctly sent from the interface specified by clientaddr. (BZ#1190679) * The Net-SNMP daemon, snmpd, did not properly clean memory when reloading its configuration file with multiple "exec" entries. Consequently, the daemon terminated unexpectedly. Now, the memory is properly cleaned, and snmpd no longer crashes on reload. (BZ#1228893) * Prior to this update, snmpd did not parse complete IPv4 traffic statistics, but reported the number of received or sent bytes in the IP-MIB::ipSystemStatsTable only for IPv6 packets and not for IPv4. This affected objects ipSystemStatsInOctets, ipSystemStatsOutOctets, ipSystemStatsInMcastOctets, and ipSystemStatsOutMcastOctets. Now, the statistics reported by snmpd are collected for IPv4 as well. (BZ#1235697) * The Net-SNMP daemon, snmpd, did not correctly detect the file system change from read-only to read-write. Consequently, after remounting the file system into the read-write mode, the daemon reported it to be still in the read-only mode. A patch has been applied, and snmpd now detects the mode changes as expected. (BZ#1241897) All net-snmp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-3565 backport diskio device filtering CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type snmptrap can't create (or write to) /var/lib/net-snmp/snmpapp.conf if isn't run under root udpTable has wrong indices In IPv6, snmp packet does not send from specified interface assigned by clientaddr option in snmpd.conf. net-snmp "storageUseNFS 2" option does not report NFS mount as "Fixed Disks" net-snmp-python contains zeros in IP address (IPADDR type) on big-endian architectures net-snmp snmpd fork() overhead [fix available] net-snmp does not display correct lm_sensors sensor data / missing CPU cores cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2355: sssd security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292) The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1205554) Several enhancements are described in the Red Hat Enterprise Linux 7.2 Release Notes, linked to in the References section: * SSSD smart card support (BZ#854396) * Cache authentication in SSSD (BZ#910187) * SSSD supports overriding automatically discovered AD site (BZ#1163806) * SSSD can now deny SSH access to locked accounts (BZ#1175760) * SSSD enables UID and GID mapping on individual clients (BZ#1183747) * Background refresh of cached entries (BZ#1199533) * Multi-step prompting for one-time and long-term passwords (BZ#1200873) * Caching for initgroups operations (BZ#1206575) Bugs fixed: * When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314) * If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes. (BZ#1198477) * The SRV queries used a hard coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541) * Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping. (BZ#1201840) * When an IdM client with Red Hat Enterprise Linux 7.1 or later was connecting to a server with Red Hat Enterprise Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly. (BZ#1202170) * If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access. (BZ#1202245) * The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes. (BZ#1204203) * SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers. (BZ#1205852) * SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name. (BZ#1208507) * The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side. (BZ#1211830) * The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process. (BZ#1212489) * Now, default_domain_suffix is not considered anymore for autofs maps. (BZ#1216285) * The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains. (BZ#1217350) * The group resolution failed with an error message: "Error: 14 (Bad address)". The binary GUID handling has been fixed. (BZ#1226119) Enhancements added: * The description of default_domain_suffix has been improved in the manual pages. (BZ#1185536) * With the new "%0" template option, users on SSSD IdM clients can now use home directories set on AD. (BZ#1187103) All sssd users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Low Copyright 2015 Red Hat, Inc. CVE-2015-5292 [RFE] Support for smart cards sssd does not create AAAA record in AD [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option [RFE] User's home directories are not taken from AD when there is an IPA trust with AD If v4 address exists, will not create nonexistant v6 in ipa domain With empty ipaselinuxusermapdefault security context on client is staff_u Does sssd-ad use the most suitable attribute for group name? [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA SSSD downloads too much information when fetching information about groups SSSD's HBAC processing is not permissive enough with broken replication entries [RFE] Add a way to lookup users based on CAC identity certificates GPO access control looks for computer object in user's domain only RFE: Support one-way trusts for IPA Complain loudly if backend doesn't start due to missing or invalid keytab Rebase SSSD to 1.13.x [bug] sssd always appends default_domain_suffix when checking for host keys [RFE] Add dualstack and multihomed support SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain [RFE] Expose D-BUS interface external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf Overrides with --login work in second attempt idoverridegroup for ipa group with --group-name does not work Overridde with --login fails trusted adusers group membership resolution Group resolution is inconsistent with group overrides autofs provider fails when default_domain_suffix and use_fully_qualified_names set Override for IPA users with login does not list user all groups [RFE] Support GPOs from different domain controllers Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust sssd ad provider fails to start in rhel7.2 well-known SID check is broken for NetBIOS prefixes getgrgid for user's UID on a trust client prevents getpw* sss_obfuscate fails with "ImportError: No module named pysss" KDC proxy not working with SSSD krb5_use_kdcinfo enabled Detect re-established trusts in the IPA subdomain code sss_override does not work correctly when 'use_fully_qualified_names = True' sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help Fix crash in nss responder sss_override : The local override user is not found nsupdate exits on first GSSAPI error instead of processing other commands sss_override --name doesn't work with RFC2307 and ghost users Could not resolve AD user from root domain AD: Conditional jump or move depends on uninitialised value Memory leak / possible DoS with krb auth. [rhel 7.2] CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin PAM responder crashed if user was not set sssd_be crashed in ipa_srv_ad_acct_lookup_step local overrides: don't contact server with overridden name/id cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2360: cups-filters security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The cups-filters packages contain back ends, filters, and other software that was once part of the core Common UNIX Printing System (CUPS) distribution but is now maintained independently. A heap-based buffer overflow flaw and an integer overflow flaw leading to a heap-based buffer overflow were discovered in the way the texttopdf utility of cups-filter processed print jobs with a specially crafted line size. An attacker able to submit print jobs could use these flaws to crash texttopdf or, possibly, execute arbitrary code with the privileges of the "lp" user. (CVE-2015-3258, CVE-2015-3279) The CVE-2015-3258 issue was discovered by Petr Sklenar of Red Hat. Notably, this update also fixes the following bug: * Previously, when polling CUPS printers from a CUPS server, when a printer name contained an underscore (_), the client displayed the name containing a hyphen (-) instead. This made the print queue unavailable. With this update, CUPS allows the underscore character in printer names, and printers appear as shown on the CUPS server as expected. (BZ#1167408) In addition, this update adds the following enhancement: * Now, the information from local and remote CUPS servers is cached during each poll, and the CUPS server load is reduced. (BZ#1191691) All cups-filters users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3258 CVE-2015-3279 Cups is failing to poll Printers containing a "_" in the Name cups-browsed very inefficient Cups is not pulling Description of Printers from Cups server CVE-2015-3258 cups-filters: texttopdf heap-based buffer overflow CVE-2015-3279 cups-filters: texttopdf integer overflow cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2369: openhpi security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 OpenHPI is an open source project created with the intent of providing an implementation of the SA Forum's Hardware Platform Interface (HPI). HPI provides an abstracted interface to managing computer hardware, typically for chassis and rack based servers. HPI includes resource modeling, access to and control over sensor, control, watchdog, and inventory data associated with resources, abstracted System Event Log interfaces, hardware events and alerts, and a managed hotswap interface. It was found that the "/var/lib/openhpi" directory provided by OpenHPI used world-writeable and world-readable permissions. A local user could use this flaw to view, modify, and delete OpenHPI-related data, or even fill up the storage device hosting the /var/lib directory. (CVE-2015-3248) This issue was discovered by Marko Myllynen of Red Hat. The openhpi packages have been upgraded to upstream version 3.4.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1127908) This update also fixes the following bug: * Network timeouts were handled incorrectly in the openhpid daemon. As a consequence, network connections could fail when external plug-ins were used. With this update, handling of network socket timeouts has been improved in openhpid, and the described problem no longer occurs. (BZ#1208127) All openhpi users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Low Copyright 2015 Red Hat, Inc. CVE-2015-3248 CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2378: squid security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. (CVE-2015-3455) This update fixes the following bugs: * Previously, the squid process did not handle file descriptors correctly when receiving Simple Network Management Protocol (SNMP) requests. As a consequence, the process gradually accumulated open file descriptors. This bug has been fixed and squid now handles SNMP requests correctly, closing file descriptors when necessary. (BZ#1198778) * Under high system load, the squid process sometimes terminated unexpectedly with a segmentation fault during reboot. This update provides better memory handling during reboot, thus fixing this bug. (BZ#1225640) Users of squid are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the squid service will be restarted automatically. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3455 missing /var/run/squid needed for smp mode Squid does not serve cached responses with Vary headers Filedescriptor leaks on snmp squid sends incorrect ssl chain breaking newer gnutls using applications CVE-2015-3455 squid: incorrect X509 server certificate validation (SQUID-2015:1) squid with digest auth on big endian systems start looping cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2383: pacemaker security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The Pacemaker Resource Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any other existing roles to themselves and then add privileges to other users as well. (CVE-2015-1867) The pacemaker packages have been upgraded to upstream version 1.1.13, which provides a number of bug fixes and enhancements over the previous version. (BZ#1234680) This update also fixes the following bugs: * When a Pacemaker cluster included an Apache resource, and Apache's mod_systemd module was enabled, systemd rejected notifications sent by Apache. As a consequence, a large number of errors in the following format appeared in the system log: Got notification message from PID XXXX, but reception only permitted for PID YYYY With this update, the lrmd daemon now unsets the "NOTIFY_SOCKET" variable in the described circumstances, and these error messages are no longer logged. (BZ#1150184) * Previously, specifying a remote guest node as a part of a group resource in a Pacemaker cluster caused the node to stop working. This update adds support for remote guests in Pacemaker group resources, and the described problem no longer occurs. (BZ#1168637) * When a resource in a Pacemaker cluster failed to start, Pacemaker updated the resource's last failure time and incremented its fail count even if the "on-fail=ignore" option was used. This in some cases caused unintended resource migrations when a resource start failure occurred. Now, Pacemaker does not update the fail count when "on-fail=ignore" is used. As a result, the failure is displayed in the cluster status output, but is properly ignored and thus does not cause resource migration. (BZ#1200849) * Previously, Pacemaker supported semicolon characters (";") as delimiters when parsing the pcmk_host_map string, but not when parsing the pcmk_host_list string. To ensure consistent user experience, semicolons are now supported as delimiters for parsing pcmk_host_list, as well. (BZ#1206232) In addition, this update adds the following enhancements: * If a Pacemaker location constraint has the "resource-discovery=never" option, Pacemaker now does not attempt to determine whether a specified service is running on the specified node. In addition, if multiple location constraints for a given resource specify "resource-discovery=exclusive", then Pacemaker attempts resource discovery only on the nodes specified in those constraints. This allows Pacemaker to skip resource discovery on nodes where attempting the operation would lead to error or other undesirable behavior. (BZ#1108853) * The procedure of configuring fencing for redundant power supplies has been simplified in order to prevent multiple nodes accessing cluster resources at the same time and thus causing data corruption. For further information, see the "Fencing: Configuring STONITH" chapter of the High Availability Add-On Reference manual. (BZ#1206647) * The output of the "crm_mon" and "pcs_status" commands has been modified to be clearer and more concise, and thus easier to read when reporting the status of a Pacemaker cluster with a large number of remote nodes and cloned resources. (BZ#1115840) All pacemaker users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-1867 member weirdness when adding/removing nodes Node ends up in a reboot loop when a resource with the same name exists crm_resource --restart broken Logs full of: error: gio_poll_dispatch_update: Adaptor for descriptor 8 is not in-use pacemaker - libqb dependency needs update edge case causes colocation constraint not to be honored. pacemaker-cli requires pacemaker but does not depend on it crmd: Resource marked with failcount=INFINITY on start failure with on-fail=ignore Nagios metadata is missing debug-promote implementation fencing: Allow semi-colon delimiter for pcmk_host_list CVE-2015-1867 pacemaker: acl read-only access allow role assignment systemd resources are shut down before the cluster at reboot crm_resource -C works inconsistently with clearing resources on baremetal remote nodes Error in `/usr/sbin/crm_resource': free(): invalid pointer: 0x00007f7199482848 Rebase Pacemaker to obtain pacemaker-remote fixes for OSP lrmd killed by SIGSEGV A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2393: wireshark security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2015-2188, CVE-2015-2189, CVE-2015-2191, CVE-2015-3810, CVE-2015-3811, CVE-2015-3812, CVE-2015-3813, CVE-2014-8710, CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714, CVE-2015-0562, CVE-2015-0563, CVE-2015-0564, CVE-2015-3182, CVE-2015-6243, CVE-2015-6244, CVE-2015-6245, CVE-2015-6246, CVE-2015-6248) The CVE-2015-3182 issue was discovered by Martin Žember of Red Hat. The wireshark packages have been upgraded to upstream version 1.10.14, which provides a number of bug fixes and enhancements over the previous version. (BZ#1238676) This update also fixes the following bug: * Prior to this update, when using the tshark utility to capture packets over the interface, tshark failed to create output files in the .pcap format even if it was specified using the "-F" option. This bug has been fixed, the "-F" option is now honored, and the result saved in the .pcap format as expected. (BZ#1227199) In addition, this update adds the following enhancement: * Previously, wireshark included only microseconds in the .pcapng format. With this update, wireshark supports nanosecond time stamp precision to allow for more accurate time stamps. (BZ#1213339) All wireshark users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0563 CVE-2015-0564 CVE-2015-2188 CVE-2015-2189 CVE-2015-2191 CVE-2015-3182 CVE-2015-3810 CVE-2015-3811 CVE-2015-3812 CVE-2015-3813 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6248 CVE-2014-8714 wireshark: TN5250 infinite loop (wnpa-sec-2014-23) CVE-2014-8712 CVE-2014-8713 wireshark: NCP dissector crashes (wnpa-sec-2014-22) CVE-2014-8711 wireshark: AMQP dissector crash (wnpa-sec-2014-21) CVE-2014-8710 wireshark: SigComp dissector crash (wnpa-sec-2014-20) CVE-2015-0562 wireshark: DEC DNA Routing Protocol dissector crash (wnpa-sec-2015-03) CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04) CVE-2015-0564 wireshark: TLS/SSL decryption crash (wnpa-sec-2015-05) CVE-2015-2188 wireshark: The WCP dissector could crash while decompressing data (wnpa-sec-2015-07) CVE-2015-2189 wireshark: The pcapng file parser could crash (wnpa-sec-2015-08) CVE-2015-2191 wireshark: The TNEF dissector could go into an infinite loop on 32-bit architectures (wnpa-sec-2015-10) CVE-2015-3182 wireshark: crash on sample file genbroad.snoop CVE-2015-3810 wireshark: WebSocket DoS (wnpa-sec-2015-13) CVE-2015-3811 wireshark: WCP dissector crash (wnpa-sec-2015-14) CVE-2015-3812 wireshark: X11 memory leak (wnpa-sec-2015-15) CVE-2015-3813 wireshark: Reassembly memory leak (wnpa-sec-2015-16) CVE-2015-6243 wireshark: Dissector table crash (wnpa-sec-2015-23) CVE-2015-6244 wireshark: ZigBee dissector crash (wnpa-sec-2015-24) CVE-2015-6245 wireshark: GSM RLC/MAC dissector infinite loop (wnpa-sec-2015-25) CVE-2015-6246 wireshark: WaveAgent dissector crash (wnpa-sec-2015-26) CVE-2015-6248 wireshark: Ptvcursor crash (wnpa-sec-2015-28) wireshark segfaults cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2401: grub2 security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. It was discovered that grub2 builds for EFI systems contained modules that were not suitable to be loaded in a Secure Boot environment. An attacker could use this flaw to circumvent the Secure Boot mechanisms and load non-verified code. Attacks could use the boot menu if no password was set, or the grub2 configuration file if the attacker has root privileges on the system. (CVE-2015-5281) This update also fixes the following bugs: * In one of the earlier updates, GRUB2 was modified to escape forward slash (/) characters in several different places. In one of these places, the escaping was unnecessary and prevented certain types of kernel command-line arguments from being passed to the kernel correctly. With this update, GRUB2 no longer escapes the forward slash characters in the mentioned place, and the kernel command-line arguments work as expected. (BZ#1125404) * Previously, GRUB2 relied on a timing mechanism provided by legacy hardware, but not by the Hyper-V Gen2 hypervisor, to calibrate its timer loop. This prevented GRUB2 from operating correctly on Hyper-V Gen2. This update modifies GRUB2 to use a different mechanism on Hyper-V Gen2 to calibrate the timing. As a result, Hyper-V Gen2 hypervisors now work as expected. (BZ#1150698) * Prior to this update, users who manually configured GRUB2 to use the built-in GNU Privacy Guard (GPG) verification observed the following error on boot: alloc magic is broken at [addr]: [value] Aborted. Consequently, the boot failed. The GRUB2 built-in GPG verification has been modified to no longer free the same memory twice. As a result, the mentioned error no longer occurs. (BZ#1167977) * Previously, the system sometimes did not recover after terminating unexpectedly and failed to reboot. To fix this problem, the GRUB2 packages now enforce file synchronization when creating the GRUB2 configuration file, which ensures that the required configuration files are written to disk. As a result, the system now reboots successfully after crashing. (BZ#1212114) * Previously, if an unconfigured network driver instance was selected and configured when the GRUB2 bootloader was loaded on a different instance, GRUB2 did not receive notifications of the Address Resolution Protocol (ARP) replies. Consequently, GRUB2 failed with the following error message: error: timeout: could not resolve hardware address. With this update, GRUB2 selects the network driver instance from which it was loaded. As a result, ARP packets are processed correctly. (BZ#1257475) In addition, this update adds the following enhancement: * Sorting of GRUB2 boot menu has been improved. GRUB2 now uses the rpmdevtools package to sort available kernels and the configuration file is being generated correctly with the most recent kernel version listed at the top. (BZ#1124074) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. Low Copyright 2015 Red Hat, Inc. CVE-2015-5281 grub2 can't boot new xfs CRC-capable disk format grub2-mkconfig wrong sorting [RHEL 7] grub2 improperly escapes spaces in kernel parameters no docs explaining what config path GRUB expects when netbooting yum reinstall kernel causes duplicate entry in grub menu grub2 fw_path variable is incorrect for x86 EFI network boot: too many path components stripped CVE-2015-5281 grub2: modules built in on EFI builds that allow loading arbitrary code, circumventing secure boot cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2411: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low) Red Hat would like to thank Linn Crosetto of HP for reporting the CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen from Red Hat engineering. The kernel-rt packages have been upgraded to version 3.10.0-326.rt56.204, which provides a number of bug fixes and enhancements. (BZ#1201915, BZ#1211724) This update also fixes several bugs and adds multiple enhancements. Refer to the following Red Hat Knowledgebase article for information on the most significant of these changes: https://access.redhat.com/articles/2055783 All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2013-7421 CVE-2014-8171 CVE-2014-9419 CVE-2014-9644 CVE-2015-2925 CVE-2015-3339 CVE-2015-4170 CVE-2015-5283 CVE-2015-7613 CVE-2015-7837 CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module() CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module() CVE-2014-8171 kernel: memcg: OOM handling DoS kernel-rt: rebase tree to match RHEL7.1.z source tree CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts kernel-rt: rebase to the RHEL7.1.z batch3 source tree CVE-2015-3339 kernel: race condition between chown() and execve() CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown. kernel-rt: update to the RHEL7.1.z batch 4 source tree kernel-rt: update to the RHEL7.1.z batch 5 source tree CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic kernel-rt: update to the RHEL7.1.z batch 6 source tree CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm CVE-2015-7837 kernel: securelevel disabled after kexec cpe:/a:redhat:rhel_extras_rt:7 RHSA-2015:2417: autofs security, bug fix and enhancement update (Moderate) Red Hat Enterprise Linux 7 The autofs utility controls the operation of the automount daemon. The daemon automatically mounts file systems when in use and unmounts them when they are not busy. It was found that program-based automounter maps that used interpreted languages such as Python used standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2014-8169) Note: This issue has been fixed by adding the "AUTOFS_" prefix to the affected environment variables so that they are not used to subvert the system. A configuration option ("force_standard_program_map_env") to override this prefix and to use the environment variables without the prefix has been added. In addition, warnings have been added to the manual page and to the installed configuration file. Now, by default the standard variables of the program map are provided only with the prefix added to its name. Red Hat would like to thank the Georgia Institute of Technology for reporting this issue. Notably, this update fixes the following bugs: * When the "ls *" command was run in the root of an indirect mount, autofs attempted to literally mount the wildcard character (*) causing it to be added to the negative cache. If done before a valid mount, autofs then failed on further mount attempts inside the mount point, valid or not. This has been fixed, and wildcard map entries now function in the described situation. (BZ#1166457) * When autofs encountered a syntax error consisting of a duplicate entry in a multimap entry, it reported an error and did not mount the map entry. With this update, autofs has been amended to report the problem in the log to alert the system administrator and use the last seen instance of the duplicate entry rather than fail. (BZ#1205600) * In the ldap and sss lookup modules, the map reading functions did not distinguish between the "no entry found" and "service not available" errors. Consequently, when the "service not available" response was returned from a master map read, autofs did not update the mounts. An "entry not found" return does not prevent the map update, so the ldap and sss lookup modules were updated to distinguish between these two returns and now work as expected. (BZ#1233065) In addition, this update adds the following enhancement: * The description of the configuration parameter map_hash_table_size was missing from the autofs.conf(5) man page and its description in the configuration file comments was insufficient. A description of the parameter has been added to autofs.conf(5), and the configuration file comments have been updated. (BZ#1238573) All autofs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. Moderate Copyright 2015 Red Hat, Inc. CVE-2014-8169 automount segment fault in parse_sun.so for negative parser tests Autofs unable to mount indirect after attempt to mount wildcard CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps autofs: MAPFMT_DEFAULT is not macro in lookup_program.c Similar but unrelated NFS exports block proper mounting of "parent" mount point autofs is performing excessive direct mount map re-reads Direct map does not expire if map is initially empty Heavy program map usage can lead to a hang cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2455: unbound security and bug fix update (Low) Red Hat Enterprise Linux 7 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs: * Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267) * Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995) * The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339) All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2015 Red Hat, Inc. CVE-2014-8602 CVE-2014-8602 unbound: specially crafted request can lead to denial of service root key management does not comply with RFC5011 unbound is installing files under /etc/tmpfiles.d/ cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2505: abrt and libreport security update (Moderate) Red Hat Enterprise Linux 7 ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets, such as Bugzilla, FTP, and Trac. It was found that the ABRT debug information installer (abrt-action-install-debuginfo-to-abrt-cache) did not use temporary directories in a secure way. A local attacker could use the flaw to create symbolic links and files at arbitrary locations as the abrt user. (CVE-2015-5273) It was discovered that the kernel-invoked coredump processor provided by ABRT did not handle symbolic links correctly when writing core dumps of ABRT programs to the ABRT dump directory (/var/spool/abrt). A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges. (CVE-2015-5287) It was found that ABRT may have exposed unintended information to Red Hat Bugzilla during crash reporting. A bug in the libreport library caused changes made by a user in files included in a crash report to be discarded. As a result, Red Hat Bugzilla attachments may contain data that was not intended to be made public, including host names, IP addresses, or command line options. (CVE-2015-5302) This flaw did not affect default installations of ABRT on Red Hat Enterprise Linux as they do not post data to Red Hat Bugzilla. This feature can however be enabled, potentially impacting modified ABRT instances. As a precaution, Red Hat has identified bugs filed by such non-default Red Hat Enterprise Linux users of ABRT and marked them private. Red Hat would like to thank Philip Pettersson of Samsung for reporting the CVE-2015-5273 and CVE-2015-5287 issues. The CVE-2015-5302 issue was discovered by Bastien Nocera of Red Hat. All users of abrt and libreport are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-5273 CVE-2015-5287 CVE-2015-5302 CVE-2015-5273 abrt: Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache CVE-2015-5287 abrt: incorrect permissions on /var/spool/abrt CVE-2015-5302 libreport: Possible private data leak in Bugzilla bugs opened by ABRT cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2519: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200) A same-origin policy bypass flaw was found in the way Thunderbird handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Thunderbird to disclose sensitive information. (CVE-2015-7193) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message because JavaScript is disabled by default for mail messages. However, they could be exploited in other ways in Thunderbird (for example, by viewing the full remote content of an RSS feed). Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong, Looben Yang, Shinto K Anto, Ronald Crane, and Ehsan Akhgari as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.4.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.4.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-4513 CVE-2015-7189 CVE-2015-7193 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116) CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123) CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127) CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131) CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 RHSA-2015:2522: apache-commons-collections security update (Important) Red Hat Enterprise Linux 7 The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-7501 CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2550: libxml2 security update (Moderate) Red Hat Enterprise Linux 7 The libxml2 library is a development toolbox providing the implementation of various XML standards. Several denial of service flaws were found in libxml2, a library providing support for reading, modifying, and writing XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or in certain cases crash the application. (CVE-2015-1819, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500 CVE-2015-7941, CVE-2015-7942, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317, BZ#1213957, BZ#1281955) Red Hat would like to thank the GNOME project for reporting CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242, and CVE-2015-8317. Upstream acknowledges Kostya Serebryany of Google as the original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317. The CVE-2015-1819 issue was discovered by Florian Weimer of Red Hat Product Security. All libxml2 users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-1819 CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 CVE-2015-8710 CVE-2015-1819 libxml2: denial of service processing a crafted XML document CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment CVE-2015-7941 libxml2: Out-of-bounds memory access CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode libxml2: Multiple out-of-bounds reads in xmlDictComputeFastKey.isra.2 and xmlDictAddString.isra.O cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2552: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the CVE-2015-5307 issue. This update also fixes the following bugs: * On Intel Xeon v5 platforms, the processor frequency was always tied to the highest possible frequency. Switching p-states on these client platforms failed. This update sets the idle frequency, busy frequency, and processor frequency values by determining the range and adjusting the minimal and maximal percent limit values. Now, switching p-states on the aforementioned client platforms proceeds successfully. (BZ#1273926) * Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing, a VM became previously unresponsive when connected to Red Hat Enterprise Virtualization Hypervisor. The provided patch fixes this bug by dropping the check in MMIO handler, and a VM continues running as expected. (BZ#1275150) * Due to retry-able command errors, the NVMe driver previously leaked I/O descriptors and DMA mappings. As a consequence, the kernel could become unresponsive during the hot-unplug operation if a driver was removed. This update fixes the driver memory leak bug on command retries, and the kernel no longer hangs in this situation. (BZ#1279792) * The hybrid_dma_data() function was not initialized before use, which caused an invalid memory access when hot-plugging a PCI card. As a consequence, a kernel oops occurred. The provided patch makes sure hybrid_dma_data() is initialized before use, and the kernel oops no longer occurs in this situation. (BZ#1279793) * When running PowerPC (PPC) KVM guests and the host was experiencing a lot of page faults, for example because it was running low on memory, the host sometimes triggered an incorrect kind of interrupt in the guest: a data storage exception instead of a data segment exception. This caused a kernel panic of the PPC KVM guest. With this update, the host kernel synthesizes a segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup fails, which prevents the kernel panic from occurring. (BZ#1281423) * The kernel accessed an incorrect area of the khugepaged process causing Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in medlp5. The backported upstream patch prevents an LPAR hang, and the oops no longer occurs. (BZ#1281424) * When the sctp module was loaded and a route to an association endpoint was removed after receiving an Out-of-The-Blue (OOTB) chunk but before incrementing the "dropped because of missing route" SNMP statistic, a Null Pointer Dereference kernel panic previously occurred. This update fixes the race condition between OOTB response and route removal. (BZ#1281426) * The cpuscaling test of the certification test suite previously failed due to a rounding bug in the intel-pstate driver. This bug has been fixed and the cpuscaling test now passes. (BZ#1281491) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2015 Red Hat, Inc. CVE-2015-5307 CVE-2015-8104 CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in microcode via #AC exception CVE-2015-8104 virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2561: git security update (Moderate) Red Hat Enterprise Linux 7 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system. (BZ#1269794) All git users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-7545 CVE-2015-7545 git: arbitrary code execution via crafted URLs cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2595: libpng12 security update (Moderate) Red Hat Enterprise Linux 7 The libpng12 packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library. (CVE-2015-8126, CVE-2015-8472) An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image. (CVE-2015-7981) All libpng12 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-7981 CVE-2015-8126 CVE-2015-8472 CVE-2015-7981 libpng: Out-of-bounds read in png_convert_to_rfc1123 CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2596: libpng security update (Moderate) Red Hat Enterprise Linux 7 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library. (CVE-2015-8126, CVE-2015-8472) All libpng users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-8126 CVE-2015-8472 CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2617: openssl security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacked could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication. (CVE-2015-3194) A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client using OpenSSL. (CVE-2015-3196) All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2619: libreoffice security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. It was discovered that LibreOffice did not properly restrict automatic link updates. By tricking a victim into opening specially crafted documents, an attacker could possibly use this flaw to disclose contents of files accessible by the victim. (CVE-2015-4551) An integer underflow flaw leading to a heap-based buffer overflow when parsing PrinterSetup data was discovered. By tricking a user into opening a specially crafted document, an attacker could possibly exploit this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5212) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way LibreOffice processed certain Microsoft Word .doc files. By tricking a user into opening a specially crafted Microsoft Word .doc document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5213) It was discovered that LibreOffice did not properly sanity check bookmark indexes. By tricking a user into opening a specially crafted document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5214) All libreoffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2015 Red Hat, Inc. CVE-2015-4551 CVE-2015-5212 CVE-2015-5213 CVE-2015-5214 CVE-2015-4551 libreoffice: Arbitrary file disclosure in Calc and Writer CVE-2015-5212 libreoffice: Integer underflow in PrinterSetup length CVE-2015-5213 libreoffice: Integer overflow in DOC files CVE-2015-5214 libreoffice: Bookmarks in DOC documents are insufficiently checked causing memory corruption cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2623: grub2 security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. (CVE-2015-8370) This update also fixes the following bug: * When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a configured boot password was not correctly migrated to the newly introduced user.cfg configuration files. This could possibly prevent system administrators from changing grub2 configuration during system boot even if they provided the correct password. This update corrects the password migration script and the incorrectly generated user.cfg file. (BZ#1290089) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For this update to take effect on BIOS-based machines, grub2 needs to be reinstalled as documented in the "Reinstalling GRUB 2 on BIOS-Based Machines" section of the Red Hat Enterprise Linux 7 System Administrator's Guide linked to in the References section. No manual action is needed on UEFI-based machines. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8370 CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup Grub password broken by update from RHEL7.1 to RHEL7.2 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:2655: bind security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND processed certain records with malformed class attributes. A remote attacker could use this flaw to send a query to request a cached record with a malformed class attribute that would cause named functioning as an authoritative or recursive server to crash. (CVE-2015-8000) Note: This issue affects authoritative servers as well as recursive servers, however authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. Red Hat would like to thank ISC for reporting this issue. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2015 Red Hat, Inc. CVE-2015-8000 CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:2657: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7210, CVE-2015-7212, CVE-2015-7213, CVE-2015-7222) A flaw was found in the way Firefox handled content using the 'data:' and 'view-source:' URIs. An attacker could use this flaw to bypass the same-origin policy and read data from cross-site URLs and local files. (CVE-2015-7214) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Looben Yang, Abhishek Arya, Ronald Crane, Gerald Squelart, and Tsubasa Iinuma as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.5.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2015 Red Hat, Inc. CVE-2015-7201 CVE-2015-7205 CVE-2015-7210 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7222 CVE-2015-7201 Mozilla: Miscellaneous memory safety hazards (rv:38.5) (MFSA 2015-134) CVE-2015-7210 Mozilla: Use-after-free in WebRTC when datachannel is used after being destroyed (MFSA 2015-138) CVE-2015-7212 Mozilla: Integer overflow allocating extremely large textures (MFSA 2015-139) CVE-2015-7205 Mozilla: Underflow through code inspection (MFSA 2015-145) CVE-2015-7213 Mozilla: Integer overflow in MP4 playback in 64-bit versions (MFSA 2015-146) CVE-2015-7222 Mozilla: Integer underflow and buffer overflow processing MP4 metadata in libstagefright (MFSA 2015-147) CVE-2015-7214 Mozilla: Cross-site reading attack through data: and view-source: URIs (MFSA 2015-149) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0001: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7212, CVE-2015-7213) A flaw was found in the way Thunderbird handled content using the 'data:' and 'view-source:' URIs. An attacker could use this flaw to bypass the same-origin policy and read data from cross-site URLs and local files. (CVE-2015-7214) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Abhishek Arya, Ronald Crane, and Tsubasa Iinuma as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.5.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.5.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2015-7201 CVE-2015-7205 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7201 Mozilla: Miscellaneous memory safety hazards (rv:38.5) (MFSA 2015-134) CVE-2015-7212 Mozilla: Integer overflow allocating extremely large textures (MFSA 2015-139) CVE-2015-7205 Mozilla: Underflow through code inspection (MFSA 2015-145) CVE-2015-7213 Mozilla: Integer overflow in MP4 playback in 64-bit versions (MFSA 2015-146) CVE-2015-7214 Mozilla: Cross-site reading attack through data: and view-source: URIs (MFSA 2015-149) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 RHSA-2016:0005: rpcbind security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7236 CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0006: samba security update (Moderate) Red Hat Enterprise Linux 7 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way "connection signing" was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan "Yenya" Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-5252 CVE-2015-5296 CVE-2015-5299 CVE-2015-5330 CVE-2015-5299 Samba: Missing access control check in shadow copy code CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server CVE-2015-7540 samba: DoS to AD-DC due to insufficient checking of asn1 memory allocation CVE-2015-5252 samba: Insufficient symlink verification in smbd CVE-2015-5296 samba: client requesting encryption vulnerable to downgrade attack cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0007: nss security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) All nss users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the NSS library must be restarted, or the system rebooted. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7575 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0008: openssl security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) All openssl users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7575 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0009: libldb security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. A denial of service flaw was found in the ldb_wildcard_compare() function of libldb. A remote attacker could send a specially crafted packet that, when processed by an application using libldb (for example the AD LDAP server in Samba), would cause that application to consume an excessive amount of memory and crash. (CVE-2015-3223) A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server. (CVE-2015-5330) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Thilo Uttendorfer as the original reporter of CVE-2015-3223, and Douglas Bagnall as the original reporter of CVE-2015-5330. All libldb users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-3223 CVE-2015-5330 CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server CVE-2015-3223 libldb: Remote DoS in Samba (AD) LDAP server cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0012: gnutls security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) All gnutls users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7575 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0043: openssh security update (Moderate) Red Hat Enterprise Linux 7 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options. (CVE-2016-0778) Red Hat would like to thank Qualys for reporting these issues. All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0777 CVE-2016-0778 CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0049: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected. (CVE-2016-0475) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2016 Red Hat, Inc. CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0475 CVE-2016-0483 CVE-2016-0494 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543) CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589) CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054) CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710) CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962) CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0054: java-1.7.0-openjdk security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 CVE-2015-4871 OpenJDK: protected methods can be used as interface methods via DirectMethodHandle (Libraries) CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543) CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054) CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710) CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962) CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0063: ntp security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. (CVE-2015-8138) All ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. Important Copyright 2016 Red Hat, Inc. CVE-2015-8138 CVE-2015-8138 ntp: missing check for zero originate timestamp cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0064: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-0728 CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0065: kernel-rt security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2016-0728, Important) Red Hat would like to thank the Perception Point research team for reporting this issue. All kernel-rt users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-0728 CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:0067: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543) CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054) CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710) CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962) CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0071: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1930, CVE-2016-1935) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, and Aki Helin as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2016 Red Hat, Inc. CVE-2016-1930 CVE-2016-1935 CVE-2016-1930 Mozilla: Miscellaneous memory safety hazards (rv:38.6) (MFSA 2016-01) CVE-2016-1935 Mozilla: Buffer overflow in WebGL after out of memory allocation (MFSA 2016-03) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0073: bind security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND processed certain malformed Address Prefix List (APL) records. A remote, authenticated attacker could use this flaw to cause named to crash. (CVE-2015-8704) Red Hat would like to thank ISC for reporting this issue. All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8704 CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0083: qemu-kvm security and bug fix update (Important) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds read/write flaw was discovered in the way QEMU's Firmware Configuration device emulation processed certain firmware configurations. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance or, potentially, execute arbitrary code on the host with privileges of the QEMU process. (CVE-2016-1714) Red Hat would like to thank Donghai Zhu of Alibaba for reporting this issue. This update also fixes the following bugs: * Incorrect handling of the last sector of an image file could trigger an assertion failure in qemu-img. This update changes the handling of the last sector, and no assertion failure occurs. (BZ#1298828) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-1714 CVE-2016-1714 Qemu: nvram: OOB r/w access in processing firmware configurations [abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0176: glibc security and bug fix update (Critical) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547) It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229) The CVE-2015-7547 issue was discovered by the Google Security Team and Red Hat. Red Hat would like to thank Jeff Layton for reporting the CVE-2015-5229 issue. This update also fixes the following bugs: * The existing implementation of the "free" function causes all memory pools beyond the first to return freed memory directly to the operating system as quickly as possible. This can result in performance degradation when the rate of free calls is very high. The first memory pool (the main pool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD, but this method is not available to subsequent memory pools. With this update, the M_TRIM_THRESHOLD method is extended to apply to all memory pools, which improves performance for threads with very high amounts of free calls and limits the number of "madvise" system calls. The change also increases the total transient memory usage by processes because the trim threshold must be reached before memory can be freed. To return to the previous behavior, you can either set M_TRIM_THRESHOLD using the "mallopt" function, or set the MALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930) * On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug in the dynamic loader could cause applications compiled with profiling enabled to fail to start with the error "monstartup: out of memory". The bug has been corrected and applications compiled for profiling now start correctly. (BZ#1298956) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2016 Red Hat, Inc. CVE-2015-5229 CVE-2015-7547 CVE-2015-5229 glibc: calloc may return non-zero memory CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow "monstartup: out of memory" on PPC64LE [rhel-7.2.z] cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0185: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) * A flaw was found in the way the Linux kernel handled IRET faults during the processing of NMIs. An unprivileged, local user could use this flaw to crash the system or, potentially (although highly unlikely), escalate their privileges on the system. (CVE-2015-5157, Moderate) This update also fixes the following bugs: * Previously, processing packets with a lot of different IPv6 source addresses caused the kernel to return warnings concerning soft-lockups due to high lock contention and latency increase. With this update, lock contention is reduced by backing off concurrent waiting threads on the lock. As a result, the kernel no longer issues warnings in the described scenario. (BZ#1285370) * Prior to this update, block device readahead was artificially limited. As a consequence, the read performance was poor, especially on RAID devices. Now, per-device readahead limits are used for each device instead of a global limit. As a result, read performance has improved, especially on RAID devices. (BZ#1287550) * After injecting an EEH error, the host was previously not recovering and observing I/O hangs in HTX tool logs. This update makes sure that when one or both of EEH_STATE_MMIO_ACTIVE and EEH_STATE_MMIO_ENABLED flags is marked in the PE state, the PE's IO path is regarded as enabled as well. As a result, the host no longer hangs and recovers as expected. (BZ#1289101) * The genwqe device driver was previously using the GFP_ATOMIC flag for allocating consecutive memory pages from the kernel's atomic memory pool, even in non-atomic situations. This could lead to allocation failures during memory pressure. With this update, the genwqe driver's memory allocations use the GFP_KERNEL flag, and the driver can allocate memory even during memory pressure situations. (BZ#1289450) * The nx842 co-processor for IBM Power Systems could in some circumstances provide invalid data due to a data corruption bug during uncompression. With this update, all compression and uncompression calls to the nx842 co-processor contain a cyclic redundancy check (CRC) flag, which forces all compression and uncompression operations to check data integrity and prevents the co-processor from providing corrupted data. (BZ#1289451) * A failed "updatepp" operation on the little-endian variant of IBM Power Systems could previously cause a wrong hash value to be used for the next hash insert operation in the page table. This could result in a missing hash pte update or invalidate operation, potentially causing memory corruption. With this update, the hash value is always recalculated after a failed "updatepp" operation, avoiding memory corruption. (BZ#1289452) * Large Receive Offload (LRO) flag disabling was not being propagated downwards from above devices in vlan and bond hierarchy, breaking the flow of traffic. This problem has been fixed and LRO flags now propagate correctly. (BZ#1292072) * Due to rounding errors in the CPU frequency of the intel_pstate driver, the CPU frequency never reached the value requested by the user. A kernel patch has been applied to fix these rounding errors. (BZ#1296276) * When running several containers (up to 100), reports of hung tasks were previously reported. This update fixes the AB-BA deadlock in the dm_destroy() function, and the hung reports no longer occur. (BZ#1296566) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2015-5157 CVE-2015-7872 CVE-2015-5157 kernel: x86-64: IRET faults during NMIs processing CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0188: sos security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The sos package contains a set of utilities that gather information from system hardware, logs, and configuration files. The information can then be used for diagnostic purposes and debugging. An insecure temporary file use flaw was found in the way sos created certain sosreport files. A local attacker could possibly use this flaw to perform a symbolic link attack to reveal the contents of sosreport files, or in some cases modify arbitrary files and escalate their privileges on the system. (CVE-2015-7529) This issue was discovered by Mateusz Guzik of Red Hat. This update also fixes the following bug: * Previously, the sosreport tool was not collecting the /var/lib/ceph and /var/run/ceph directories when run with the ceph plug-in enabled, causing the generated sosreport archive to miss vital troubleshooting information about ceph. With this update, the ceph plug-in for sosreport collects these directories, and the generated report contains more useful information. (BZ#1291347) All users of sos are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7529 CVE-2015-7529 sos: Usage of predictable temporary files allows privilege escalation cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0189: polkit security update (Moderate) Red Hat Enterprise Linux 7 PolicyKit is a toolkit for defining and handling authorizations. A denial of service flaw was found in how polkit handled authorization requests. A local, unprivileged user could send malicious requests to polkit, which could then cause the polkit daemon to corrupt its memory and crash. (CVE-2015-3256) All polkit users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-3256 CVE-2015-3256 polkit: Memory corruption via javascript rule evaluation cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0197: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523) All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2016 Red Hat, Inc. CVE-2016-1521 CVE-2016-1522 CVE-2016-1523 CVE-2016-1969 CVE-2016-1521 graphite2: Out-of-bound read vulnerability triggered by crafted fonts CVE-2016-1522 graphite2: Null pointer dereference and out-of-bounds access vulnerabilities CVE-2016-1523 graphite2: Heap-based buffer overflow in context item handling functionality Mozilla: Vulnerabilities in Graphite 2 (MFSA 2016-14) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:0204: 389-ds-base security and bug fix update (Important) Red Hat Enterprise Linux 7 The 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. An infinite-loop vulnerability was discovered in the 389 directory server, where the server failed to correctly handle unexpectedly closed client connections. A remote attacker able to connect to the server could use this flaw to make the directory server consume an excessive amount of CPU and stop accepting connections (denial of service). (CVE-2016-0741) This update fixes the following bugs: * Previously, if a simple paged results search failed in the back end, the simple paged results slot was not released. Consequently, the simple paged results slots in a connection object could be accumulated. With this update, the simple paged results slot is released correctly when a search fails, and unused simple paged results slots are no longer left in a connection object. (BZ#1290725) * Previously, when several values of the same attribute were deleted using the ldapmodify command, and at least one of them was added again during the same operation, the equality index was not updated. As a consequence, an exact search for the re-added attribute value did not return the entry. The logic of the index code has been modified to update the index if at least one of the values in the entry changes, and the exact search for the re-added attribute value now returns the correct entry. (BZ#1290726) * Prior to this update, when the cleanAllRUV task was running, a bogus attrlist_replace error message was logged repeatedly due to a memory corruption. With this update, the appropriate memory copy function memmove is used, which fixes the memory corruption. As a result, the error messages are no longer logged in this scenario. (BZ#1295684) * To fix a simple paged results bug, an exclusive lock on a connection was previously added. This consequently caused a self deadlock in a particular case. With this update, the exclusive lock on a connection has been changed to the re-entrant type, and the self deadlock no longer occurs. (BZ#1298105) * Previously, an unnecessary lock was sometimes acquired on a connection object, which could consequently cause a deadlock. A patch has been applied to remove the unnecessary locking, and the deadlock no longer occurs. (BZ#1299346) Users of 389-ds-base are advised to upgrade to these updated packages, which correct these issues. After installing this update, the 389 server service will be restarted automatically. Important Copyright 2016 Red Hat, Inc. CVE-2016-0741 SimplePagedResults -- in the search error case, simple paged results slot was not released. The 'eq' index does not get updated properly when deleting and re-adding attributes in the same ldapmodify operation many attrlist_replace errors in connection with cleanallruv deadlock on connection mutex CVE-2016-0741 389-ds-base: worker threads do not detect abnormally closed connections causing DoS cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0212: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) * A flaw was found in the way the Linux kernel handled IRET faults during the processing of NMIs. An unprivileged, local user could use this flaw to crash the system or, potentially (although highly unlikely), escalate their privileges on the system. (CVE-2015-5157, Moderate) The kernel-rt packages have been upgraded to version 3.10.0-327.10.1, which provides a number of bug fixes and enhancements, including: * [md] dm: fix AB-BA deadlock in __dm_destroy() * [md] revert "dm-mpath: fix stalls when handling invalid ioctl * [cpufreq] intel_pstate: Fix limits->max_perf and limits->max_policy_pct rounding errors * [cpufreq] revert "intel_pstate: fix rounding error in max_freq_pct" * [crypto] nx: 842 - Add CRC and validation support * [of] return NUMA_NO_NODE from fallback of_node_to_nid() (BZ#1282591) This update also fixes the following bugs: * Because the realtime kernel replaces most of the spinlocks with rtmutexes, the locking scheme used in both NAPI polling and busy polling could become out of synchronization with the State Machine they protected. This could cause system performance degradation or even a livelock situation when a machine with faster NICs (10g or 40g) was subject to a heavy pressure receiving network packets. The locking schemes on NAPI polling and busy polling routines have been hardened to enforce the State machine sanity to help ensure the system continues to function properly under pressure. (BZ#1293230) * A possible livelock in the NAPI polling and busy polling routines could lead the system to a livelock on threads running at high, realtime, priorities. The threads running at priorities lower than the ones of the threads involved in the livelock were prevented from running on the CPUs affected by the livelock. Among those lower priority threads are the rcuc/ threads. With this update, right before (4 jiffies) a RCU stall is detected, the rcuc/ threads on the CPUs facing the livelock have their priorities boosted above the priority of the threads involved in the livelock. The softirq code has also been updated to be more robust. These modifications allow the rcuc/ threads to execute even under system pressure, mitigating the RCU stalls. (BZ#1293229) * Multiple CPUs trying to take an rq lock previously caused large latencies on machines with many CPUs. On systems with more than 32 cores, this update uses the "push" rather than "pull" approach and provides multiple changes to the scheduling of rq locks. As a result, machines no longer suffer from multiplied latencies on large CPU systems. (BZ#1282597) * Previously, the SFC driver for 10 GB cards executed polling in NAPI mode, using a locking mechanism similar to a "trylock". Consequently, when running on a Realtime kernel, a livelock could occur. This update modifies the locking mechanism so that once the lock is taken it is not released until the operation is complete. (BZ#1282609) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2015-5157 CVE-2015-7872 CVE-2015-5157 kernel: x86-64: IRET faults during NMIs processing CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user kernel-rt: update to the RHEL7.2.z batch 2 source tree RCU stalls message on realtime kernel rt: netpoll: live lock with NAPI polling and busy polling on realtime kernel cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:0258: thunderbird security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-1930, CVE-2016-1935) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, and Aki Helin as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.6.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.6.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-1521 CVE-2016-1522 CVE-2016-1523 CVE-2016-1930 CVE-2016-1935 CVE-2016-1930 Mozilla: Miscellaneous memory safety hazards (rv:38.6) (MFSA 2016-01) CVE-2016-1935 Mozilla: Buffer overflow in WebGL after out of memory allocation (MFSA 2016-03) cpe:/o:redhat:enterprise_linux:6 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0301: openssl security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the 'SSLv23' connection methods, and removing support for weak SSLv2 cipher suites. For more information, refer to the knowledge base article linked to in the References section. A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. (CVE-2015-3197) A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim's thread that is performing decryption, could use this flaw to recover RSA private keys. (CVE-2016-0702) A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash. (CVE-2016-0705) An integer overflow flaw, leading to a NULL pointer dereference or a heap-based memory corruption, was found in the way some BIGNUM functions of OpenSSL were implemented. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code. (CVE-2016-0797) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original reporters of CVE-2016-0800 and CVE-2015-3197; Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705; Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), Nadia Heninger (University of Pennsylvania) as the original reporters of CVE-2016-0702; and Guido Vranken as the original reporter of CVE-2016-0797. All openssl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Important Copyright 2016 Red Hat, Inc. CVE-2015-3197 CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0800 CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) CVE-2016-0705 OpenSSL: Double-free in DSA code CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0346: postgresql security update (Important) Red Hat Enterprise Linux 7 PostgreSQL is an advanced object-relational database management system (DBMS). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to crash or possibly execute arbitrary code. (CVE-2016-0773) Red Hat would like to thank PostgreSQL upstream for reporting this issue. Upstream acknowledges Tom Lane and Greg Stark as the original reporters. This update upgrades PostgreSQL to version 9.2.15. Refer to the Release Notes linked to in the References section for a detailed list of changes since the previous version. All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Important Copyright 2016 Red Hat, Inc. CVE-2016-0773 CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0370: nss-util security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util package provides a set of utilities for NSS and the Softoken module. A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2016-1950) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Francis Gabriel as the original reporter. All nss-util users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the nss and nss-util library must be restarted, or the system rebooted. Critical Copyright 2016 Red Hat, Inc. CVE-2016-1950 CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0372: openssl098e security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) Note: This issue was addressed by disabling the SSLv2 protocol by default when using the 'SSLv23' connection methods, and removing support for weak SSLv2 cipher suites. For more information, refer to the knowledge base article linked to in the References section. It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.(CVE-2016-0703) It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. (CVE-2016-0704) Note: The CVE-2016-0703 and CVE-2016-0704 issues could allow for more efficient exploitation of the CVE-2016-0800 issue via the DROWN attack. A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293) A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. (CVE-2015-3197) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original reporters of CVE-2016-0800 and CVE-2015-3197; David Adrian (University of Michigan) and J. Alex Halderman (University of Michigan) as the original reporters of CVE-2016-0703 and CVE-2016-0704; and Sean Burford (Google) and Emilia Käsper (OpenSSL development team) as the original reporters of CVE-2015-0293. All openssl098e users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the openssl098e library must be restarted, or the system rebooted. Important Copyright 2016 Red Hat, Inc. CVE-2015-0293 CVE-2015-3197 CVE-2016-0703 CVE-2016-0704 CVE-2016-0800 CVE-2015-0293 openssl: assertion failure in SSLv2 servers CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2 CVE-2016-0704 openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0373: firefox security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1973, CVE-2016-1974, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966) Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Nicolas Golubovic, Jose Martinez, Romina Santillan, Abdulrahman Alqabandi, ca0nguyen, lokihardt, Dominique Hazaël-Massieux, Nicolas Grégoire, Tsubasa Iinuma, the Communications Electronics Security Group (UK) of the GCHQ, Holger Fuhrmannek, Ronald Crane, and Tyson Smith as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.7.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2016 Red Hat, Inc. CVE-2016-1952 CVE-2016-1954 CVE-2016-1957 CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962 CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1973 CVE-2016-1974 CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802 CVE-2016-1952 Mozilla: Miscellaneous memory safety hazards (rv:38.7) (MFSA 2016-16) CVE-2016-1954 Mozilla: Local file overwriting and potential privilege escalation through CSP reports (MFSA 2016-17) CVE-2016-1957 Mozilla: Memory leak in libstagefright when deleting an array during MP4 processing (MFSA 2016-20) CVE-2016-1958 Mozilla: Displayed page address can be overridden (MFSA 2016-21) CVE-2016-1960 Mozilla: Use-after-free in HTML5 string parser (MFSA 2016-23) CVE-2016-1961 Mozilla: Use-after-free in SetBody (MFSA 2016-24) CVE-2016-1962 Mozilla: Use-after-free when using multiple WebRTC data channels (MFSA 2016-25) CVE-2016-1964 Mozilla: Use-after-free during XML transformations (MFSA 2016-27) CVE-2016-1965 Mozilla: Addressbar spoofing though history navigation and Location protocol property (MFSA 2016-28) CVE-2016-1966 Mozilla: Memory corruption with malicious NPAPI plugin (MFSA 2016-31) CVE-2016-1973 Mozilla: Use-after-free in GetStaticInstance in WebRTC (MFSA 2016-33) CVE-2016-1974 Mozilla: Out-of-bounds read in HTML parser following a failed allocation (MFSA 2016-34) Mozilla: Font vulnerabilities in the Graphite 2 library (MFSA 2016-37) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0428: libssh2 security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0787 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0430: xerces-c security update (Important) Red Hat Enterprise Linux 7 Xerces-C is a validating XML parser written in a portable subset of C++. It was discovered that the Xerces-C XML parser did not properly process certain XML input. By providing specially crafted XML data to an application using Xerces-C for XML processing, a remote attacker could exploit this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2016-0729) Red Hat would like to thank Gustavo Grieco for reporting this issue. All xerces-c users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using Xerces-C must be restarted for the update to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-0729 CVE-2016-0729 xerces-c: parser crashes on malformed input cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0448: samba security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw was found in the way Samba handled ACLs on symbolic links. An authenticated user could use this flaw to gain access to an arbitrary file or directory by overwriting its ACL. (CVE-2015-7560) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Jeremy Allison (Google) and the Samba team as the original reporters. All samba users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7560 CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0459: bind security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed signature records for DNAME records. By sending a specially crafted query, a remote attacker could use this flaw to cause named to crash. (CVE-2016-1286) A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash. (CVE-2016-1285) Red Hat would like to thank ISC for reporting these issues. All bind users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2016 Red Hat, Inc. CVE-2016-1285 CVE-2016-1286 CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0460: thunderbird security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960, CVE-2016-1961, CVE-2016-1974, CVE-2016-1964, CVE-2016-1966) Multiple security flaws were found in the graphite2 font library shipped with Thunderbird. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Nicolas Golubovic, Jose Martinez, Romina Santillan, ca0nguyen, lokihardt, Nicolas Grégoire, the Communications Electronics Security Group (UK) of the GCHQ, Holger Fuhrmannek, Ronald Crane, and Tyson Smith as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.7.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.7.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Important Copyright 2016 Red Hat, Inc. CVE-2016-1952 CVE-2016-1954 CVE-2016-1957 CVE-2016-1960 CVE-2016-1961 CVE-2016-1964 CVE-2016-1966 CVE-2016-1974 CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802 CVE-2016-1952 Mozilla: Miscellaneous memory safety hazards (rv:38.7) (MFSA 2016-16) CVE-2016-1954 Mozilla: Local file overwriting and potential privilege escalation through CSP reports (MFSA 2016-17) CVE-2016-1957 Mozilla: Memory leak in libstagefright when deleting an array during MP4 processing (MFSA 2016-20) CVE-2016-1960 Mozilla: Use-after-free in HTML5 string parser (MFSA 2016-23) CVE-2016-1961 Mozilla: Use-after-free in SetBody (MFSA 2016-24) CVE-2016-1964 Mozilla: Use-after-free during XML transformations (MFSA 2016-27) CVE-2016-1966 Mozilla: Memory corruption with malicious NPAPI plugin (MFSA 2016-31) CVE-2016-1974 Mozilla: Out-of-bounds read in HTML parser following a failed allocation (MFSA 2016-34) graphite2: multiple font parsing vulnerabilities (Mozilla MFSA 2016-37) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/a:redhat:rhel_productivity:5 RHSA-2016:0465: openssh security update (Moderate) Red Hat Enterprise Linux 7 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-1908 CVE-2016-3115 CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0496: git security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code. (CVE-2016-2315, CVE-2016-2324) All git users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2016 Red Hat, Inc. CVE-2016-2315 CVE-2016-2324 CVE-2016-2315 CVE-2016-2324 git: path_name() integer truncation and overflow leading to buffer overflow cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:0512: java-1.7.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit for compiling and executing Java programs. Security Fix(es): * An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions. (CVE-2016-0636) Important Copyright 2016 Red Hat, Inc. CVE-2016-0636 CVE-2016-0636 OpenJDK: out-of-band urgent security fix (Hotspot, 8151666) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:0513: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages contain the latest version of the Open Java Development Kit (OpenJDK), OpenJDK 8. These packages provide a fully compliant implementation of Java SE 8. Security Fix(es): * An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions. (CVE-2016-0636) Critical Copyright 2016 Red Hat, Inc. CVE-2016-0636 CVE-2016-0636 OpenJDK: out-of-band urgent security fix (Hotspot, 8151666) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0532: krb5 security update (Moderate) Red Hat Enterprise Linux 7 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es): * A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion. (CVE-2015-8631) * An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629) * A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. (CVE-2015-8630) The CVE-2015-8631 issue was discovered by Simo Sorce of Red Hat. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8629 CVE-2015-8630 CVE-2015-8631 CVE-2015-8629 krb5: xdr_nullstring() doesn't check for terminating null character CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0534: mariadb security and bug fix update (Moderate) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: MariaDB (5.5.47). Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. Security Fix(es): * It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. (CVE-2016-2047) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-4792, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4879, CVE-2015-4913, CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0616) Bug Fix(es): * When more than one INSERT operation was executed concurrently on a non-empty InnoDB table with an AUTO_INCREMENT column defined as a primary key immediately after starting MariaDB, a race condition could occur. As a consequence, one of the concurrent INSERT operations failed with a "Duplicate key" error message. A patch has been applied to prevent the race condition. Now, each row inserted as a result of the concurrent INSERT operations receives a unique primary key, and the operations no longer fail in this scenario. (BZ#1303946) Moderate Copyright 2016 Red Hat, Inc. CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616 CVE-2016-0642 CVE-2016-0651 CVE-2016-2047 CVE-2016-3471 CVE-2015-4792 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015) CVE-2015-4802 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015) CVE-2015-4815 mysql: unspecified vulnerability related to Server:DDL (CPU October 2015) CVE-2015-4816 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015) CVE-2015-4819 mysql: unspecified vulnerability related to Client programs (CPU October 2015) CVE-2015-4826 mysql: unspecified vulnerability related to Server:Types (CPU October 2015) CVE-2015-4830 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015) CVE-2015-4836 mysql: unspecified vulnerability related to Server:SP (CPU October 2015) CVE-2015-4858 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) CVE-2015-4861 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015) CVE-2015-4870 mysql: unspecified vulnerability related to Server:Parser (CPU October 2015) CVE-2015-4879 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) CVE-2015-4913 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) CVE-2016-0505 mysql: unspecified vulnerability in subcomponent: Server: Options (CPU January 2016) CVE-2016-0546 mysql: unspecified vulnerability in subcomponent: Client (CPU January 2016) CVE-2016-0596 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) CVE-2016-0597 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) CVE-2016-0598 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) CVE-2016-0600 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016) CVE-2016-0606 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU January 2016) CVE-2016-0608 mysql: unspecified vulnerability in subcomponent: Server: UDF (CPU January 2016) CVE-2016-0609 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU January 2016) CVE-2016-0616 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) CVE-2016-2047 mysql: ssl-validate-cert incorrect hostname check Duplicate key with auto increment cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0594: graphite2 security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 Graphite2 is a project within SIL's Non-Roman Script Initiative and Language Software Development groups to provide rendering capabilities for complex non-Roman writing systems. Graphite can be used to create "smart fonts" capable of displaying writing systems with various complex behaviors. With respect to the Text Encoding Model, Graphite handles the "Rendering" aspect of writing system implementation. The following packages have been upgraded to a newer upstream version: graphite2 (1.3.6). Security Fix(es): * Various vulnerabilities have been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526) Important Copyright 2016 Red Hat, Inc. CVE-2016-1521 CVE-2016-1522 CVE-2016-1523 CVE-2016-1526 CVE-2016-1521 graphite2: Out-of-bound read vulnerability triggered by crafted fonts CVE-2016-1522 graphite2: Null pointer dereference and out-of-bounds access vulnerabilities CVE-2016-1523 graphite2: Heap-based buffer overflow in context item handling functionality CVE-2016-1526 graphite2: Out-of-bounds read vulnerability in TfUtil:LocaLookup cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0612: samba and samba4 security, bug fix, and enhancement update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es): * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115. Critical Copyright 2016 Red Hat, Inc. CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 CVE-2015-5370 samba: crash in dcesrv_auth_bind_ack due to missing error check CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication CVE-2016-2111 samba: Spoofing vulnerability when domain controller is configured CVE-2016-2112 samba: Missing downgrade detection CVE-2016-2113 samba: Server certificates not validated at client side CVE-2016-2114 samba: Samba based active directory domain controller does not enforce smb signing CVE-2016-2115 samba: Smb signing not required by default when smb client connection is used for ipc usage CVE-2016-2118 samba: SAMR and LSA man in the middle attacks cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0650: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-0686, CVE-2016-0687) * It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427) * It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. (CVE-2016-3425) * It was discovered that the GCM (Galois/Counter Mode) implementation in the JCE component in OpenJDK used a non-constant time comparison when comparing GCM authentication tags. A remote attacker could possibly use this flaw to determine the value of the authentication tag. (CVE-2016-3426) * It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. (CVE-2016-0695) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Critical Copyright 2016 Red Hat, Inc. CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) CVE-2016-3426 OpenJDK: non-constant time GCM authentication tag comparison (JCE, 8143945) CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0676: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es): * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-0686, CVE-2016-0687) * It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427) * It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. (CVE-2016-3425) * It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. (CVE-2016-0695) Critical Copyright 2016 Red Hat, Inc. CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3427 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:0685: nss, nspr, nss-softokn, and nss-util security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a newer upstream version: nss (3.21.0), nss-util (3.21.0), nspr (4.11.0). (BZ#1310581, BZ#1303021, BZ#1299872) Security Fix(es): * A use-after-free flaw was found in the way NSS handled DHE (Diffie–Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. (CVE-2016-1978) * A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. (CVE-2016-1979) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Eric Rescorla as the original reporter of CVE-2016-1978; and Tim Taubert as the original reporter of CVE-2016-1979. Bug Fix(es): * The nss-softokn package has been updated to be compatible with NSS 3.21. (BZ#1326221) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-1978 CVE-2016-1979 Rebase RHEL 7.2.z to NSPR 4.11 in preparation for Firefox 45. Rebase RHEL 7.2.z to NSS-util 3.21 in preparation for Firefox 45. Rebase RHEL 7.2.z to NSS 3.21 in preparation for Firefox 45. CVE-2016-1979 nss: Use-after-free during processing of DER encoded keys in NSS (MFSA 2016-36) CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0695: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.1.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Phil Ringalda, CESG (the Information Security Arm of GCHQ), Sascha Just, Jesse Ruderman, Christian Holler, Tyson Smith, Boris Zbarsky, David Bolter, Carsten Book, Mats Palmgren, Gary Kwong, and Randell Jesup as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-1526 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814 CVE-2016-2805 Mozilla: Miscellaneous memory safety hazards (rv:38.8) (MFSA 2016-39) CVE-2016-2806 Mozilla: Miscellaneous memory safety hazards (rv:46.0 / rv:45.1) (MFSA 2016-39) CVE-2016-2807 Mozilla: Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) (MFSA 2016-39) CVE-2016-2814 Mozilla: Buffer overflow in libstagefright with CENC offsets (MFSA 2016-44) CVE-2016-2808 Mozilla: Write to invalid HashMap entry through JavaScript.watch() (MFSA 2016-47) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:0706: mercurial security update (Important) Red Hat Enterprise Linux 7 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix(es): * It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code. (CVE-2016-3068) * It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository. (CVE-2016-3069) Red Hat would like to thank Blake Burkhart for reporting these issues. Important Copyright 2016 Red Hat, Inc. CVE-2016-3068 CVE-2016-3069 CVE-2016-3068 mercurial: command injection via git subrepository urls CVE-2016-3069 mercurial: convert extension command injection via git repository names cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0722: openssl security update (Important) Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Two integer overflow flaws, leading to buffer overflows, were found in the way the EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed very large amounts of input data. A remote attacker could use these flaws to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105, CVE-2016-2106) * It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2016-2107) * Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application. (CVE-2016-0799, CVE-2016-2842) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, and CVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107. Important Copyright 2016 Red Hat, Inc. CVE-2016-0799 CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2842 CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check CVE-2016-2105 openssl: EVP_EncodeUpdate overflow CVE-2016-2106 openssl: EVP_EncryptUpdate overflow cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0723: java-1.6.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Security Fix(es): * Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-0686, CVE-2016-0687) * It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427) * It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. (CVE-2016-3425) * It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. (CVE-2016-0695) Critical Copyright 2016 Red Hat, Inc. CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3427 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0724: qemu-kvm security update (Important) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es): * An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations via I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. (CVE-2016-3710) Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360 Marvel Team) for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-3710 CVE-2016-3710 qemu: incorrect banked access bounds checking in vga module cpe:/o:redhat:enterprise_linux:7 RHSA-2016:0726: ImageMagick security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix(es): * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) * It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) * A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so. Important Copyright 2016 Red Hat, Inc. CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 CVE-2016-3714 ImageMagick: Insufficient shell characters filtering CVE-2016-3715 ImageMagick: File deletion CVE-2016-3716 ImageMagick: File moving CVE-2016-3717 ImageMagick: Local file read CVE-2016-3718 ImageMagick: SSRF vulnerability cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1025: pcre security update (Important) Red Hat Enterprise Linux 7 PCRE is a Perl-compatible regular expression library. Security Fix(es): * Multiple flaws were found in the way PCRE handled malformed regular expressions. An attacker able to make an application using PCRE process a specially crafted regular expression could use these flaws to cause the application to crash or, possibly, execute arbitrary code. (CVE-2015-8385, CVE-2016-3191, CVE-2015-2328, CVE-2015-3217, CVE-2015-5073, CVE-2015-8388, CVE-2015-8391, CVE-2015-8386) Important Copyright 2016 Red Hat, Inc. CVE-2015-2328 CVE-2015-3217 CVE-2015-5073 CVE-2015-8385 CVE-2015-8386 CVE-2015-8388 CVE-2015-8391 CVE-2016-3191 CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11) CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18) CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20) CVE-2015-8385 pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30) CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion (8.38/6) CVE-2015-8391 pcre: inefficient posix character class syntax check (8.38/16) CVE-2016-3191 pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1033: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. (CVE-2016-0758, Important) Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue. Bug Fix(es): * Under certain conditions, the migration threads could race with the CPU hotplug, which could cause a deadlock. A set of patches has been provided to fix this bug, and the deadlock no longer occurs in the system. (BZ#1299338) * A bug in the code that cleans up revoked delegations could previously cause a soft lockup in the NFS server. This patch fixes the underlying source code, so the lockup no longer occurs. (BZ#1311582) * The second attempt to reload Common Application Programming Interface (CAPI) devices on the little-endian variant of IBM Power Systems previously failed. The provided set of patches fixes this bug, and reloading works as intended. (BZ#1312396) * Due to inconsistencies in page size of IOMMU, the NVMe device, and the kernel, the BUG_ON signal previously occurred in the nvme_setup_prps() function, leading to the system crash while setting up the DMA transfer. The provided patch sets the default NVMe page size to 4k, thus preventing the system crash. (BZ#1312399) * Previously, on a system using the Infiniband mlx5 driver used for the SRP stack, a hard lockup previously occurred after the kernel exceeded time with lock held with interrupts blocked. As a consequence, the system panicked. This update fixes this bug, and the system no longer panics in this situation. (BZ#1313814) * On the little-endian variant of IBM Power Systems, the kernel previously crashed in the bitmap_weight() function while running the memory affinity script. The provided patch fortifies the topology setup and prevents sd->child from being set to NULL when it is already NULL. As a result, the memory affinity script runs successfully. (BZ#1316158) * When a KVM guest wrote random values to the special-purpose registers (SPR) Instruction Authority Mask Register (IAMR), the guest and the corresponding QEMU process previously hung. This update adds the code which sets SPRs to a suitable neutral value on guest exit, thus fixing this bug. (BZ#1316636) * Under heavy iSCSI traffic load, the system previously panicked due to a race in the locking code leading to a list corruption. This update fixes this bug, and the system no longer panics in this situation. (BZ#1316812) * During SCSI exception handling (triggered by some irregularities), the driver could previously use an already retired SCSI command. As a consequence, a kernel panic or data corruption occurred. The provided patches fix this bug, and exception handling now proceeds successfully. (BZ#1316820) * When the previously opened /dev/tty, which pointed to a pseudo terminal (pty) pair, was the last file closed, a kernel crash could previously occur. The underlying source code has been fixed, preventing this bug. (BZ#1320297) * Previously, when using VPLEX and FCoE via the bnx2fc driver, different degrees of data corruption occurred. The provided patch fixes the FCP Response (RSP) residual parsing in bnx2fc, which prevents the aforementioned corruption. (BZ#1322279) Important Copyright 2016 Red Hat, Inc. CVE-2016-0758 CVE-2016-3044 CVE-2016-0758 kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length() cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1041: thunderbird security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 38.8.0. Security Fix(es): * Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-2805, CVE-2016-2807) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Phil Ringalda, Christian Holler, and Tyson Smith as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-2805 CVE-2016-2807 CVE-2016-2805 Mozilla: Miscellaneous memory safety hazards (rv:38.8) (MFSA 2016-39) CVE-2016-2807 Mozilla: Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) (MFSA 2016-39) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1051: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a newer upstream version: kernel-rt (3.10.0-327.18.2). This version provides a number of bug fixes and enhancements, including: * [scsi] bnx2fc: Fix FCP RSP residual parsing and remove explicit logouts * [scsi] mpt3sas: Fix for Asynchronous completion of timedout IO and task abort of timedout IO * [scsi] scsi_error: should not get sense for timeout IO in scsi error handler * [scsi] Revert libiscsi: Reduce locking contention in fast path * [mm] madvise: fix MADV_WILLNEED on shmem swapouts * [cpufreq] intel_pstate: decrease number of "HWP enabled" messages and enable HWP per CPU * [kernel] sched: Robustify topology setup * [kernel] sched/fair: Disable tg load_avg/runnable_avg update for root_task_group * [kernel] sched/fair: Move hot load_avg/runnable_avg into separate cacheline * [ib] mlx5: Fix RC transport send queue overhead computation * [fs] nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd * [fs] ceph: multiple updates (BZ#1322033) Security Fix(es): * A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. (CVE-2016-0758, Important) Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue. Bug Fix(es): * The hotplug lock and the console semaphore could be acquired in an incorrect order, which could previously lead to a deadlock causing the system console to freeze. The underlying code has been adjusted to acquire the locks in the correct order, resolving the bug with the console. (BZ#1324767) Important Copyright 2016 Red Hat, Inc. CVE-2016-0758 CVE-2016-0758 kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length() kernel-rt: update to the RHEL7.2.z batch#4 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:1086: libndp security update (Moderate) Red Hat Enterprise Linux 7 Libndp is a library (used by NetworkManager) that provides a wrapper for the IPv6 Neighbor Discovery Protocol. It also provides a tool named ndptool for sending and receiving NDP messages. Security Fix(es): * It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network could use this flaw to advertise a node as a router, allowing them to perform man-in-the-middle attacks on a connecting client, or disrupt the network connectivity of that client. (CVE-2016-3698) Red Hat would like to thank Julien Bernard (Viagénie) for reporting this issue. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-3698 CVE-2016-3698 libndp: denial of service due to insufficient validation of source of NDP messages cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1139: squid security update (Moderate) Red Hat Enterprise Linux 7 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. (CVE-2016-4051) * Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid. (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054) * An input validation flaw was found in the way Squid handled intercepted HTTP Request messages. An attacker could use this flaw to bypass the protection against issues related to CVE-2009-0801, and perform cache poisoning attacks on Squid. (CVE-2016-4553) * An input validation flaw was found in Squid's mime_get_header_field() function, which is used to search for headers within HTTP requests. An attacker could send an HTTP request from the client side with specially crafted header Host header that bypasses same-origin security protections, causing Squid operating as interception or reverse-proxy to contact the wrong origin server. It could also be used for cache poisoning for client not following RFC 7230. (CVE-2016-4554) * A NULL pointer dereference flaw was found in the way Squid processes ESI responses. If Squid was used as a reverse proxy or for TLS/HTTPS interception, a malicious server could use this flaw to crash the Squid worker process. (CVE-2016-4555) * An incorrect reference counting flaw was found in the way Squid processes ESI responses. If Squid is configured as reverse-proxy, for TLS/HTTPS interception, an attacker controlling a server accessed by Squid, could crash the squid worker, causing a Denial of Service attack. (CVE-2016-4556) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 CVE-2016-4553 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556 CVE-2016-4051 squid: buffer overflow in cachemgr.cgi CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 squid: multiple issues in ESI processing CVE-2016-4553 squid: Cache poisoning issue in HTTP Request handling CVE-2016-4554 squid: Header Smuggling issue in HTTP Request processing CVE-2016-4555 squid: SegFault from ESIInclude::Start CVE-2016-4556 squid: SIGSEGV in ESIContext response handling cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1141: ntp security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es): * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) * It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) * A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) * An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat). Moderate Copyright 2016 Red Hat, Inc. CVE-2015-7979 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-2518 CVE-2015-7979 ntp: off-path denial of service on authenticated broadcast mode CVE-2016-1547 ntp: crypto-NAK preemptable association denial of service CVE-2016-1548 ntp: ntpd switching to interleaved mode with spoofed packets CVE-2016-1550 ntp: libntp message digest disclosure CVE-2016-2518 ntp: out-of-bounds references on crafted packet cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1205: spice security update (Important) Red Hat Enterprise Linux 7 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. Security Fix(es): * A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host's QEMU-KVM process. (CVE-2016-0749) * A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host. (CVE-2016-2150) The CVE-2016-0749 issue was discovered by Jing Zhao (Red Hat) and the CVE-2016-2150 issue was discovered by Frediano Ziglio (Red Hat). Important Copyright 2016 Red Hat, Inc. CVE-2016-0749 CVE-2016-2150 CVE-2016-0749 spice: heap-based memory corruption within smartcard handling CVE-2016-2150 spice: Host memory access from guest with invalid primary surface parameters cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1217: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.2.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2828, CVE-2016-2831) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges sushi Anton Larsson, firehack, Jordi Chancel, Christian Holler, Sylvestre Ledru, Tyson Smith, jomo, Jesse Ruderman, Julian Seward, Timothy Nikkel, Karl Tomlinson, Olli Pettay, and Gary Kwong as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-2818 CVE-2016-2819 CVE-2016-2821 CVE-2016-2822 CVE-2016-2828 CVE-2016-2831 CVE-2016-2818 Mozilla: Miscellaneous memory safety hazards (rv:45.2) (MFSA 2016-49) CVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) CVE-2016-2821 Mozilla: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) CVE-2016-2822 Mozilla: Addressbar spoofing though the SELECT element (MFSA 2016-52) CVE-2016-2828 Mozilla: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) CVE-2016-2831 Mozilla: Entering fullscreen and persistent pointerlock without user permission permission (MFSA 2016-59) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:1237: ImageMagick security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix(es): * It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-5118) * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the gnuplot delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-5239) * Multiple flaws have been discovered in ImageMagick. A remote attacker could, for example, create specially crafted images that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would result in a memory corruption and, potentially, execution of arbitrary code, a denial of service, or an application crash. (CVE-2015-8896, CVE-2015-8895, CVE-2016-5240, CVE-2015-8897, CVE-2015-8898) Important Copyright 2016 Red Hat, Inc. CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 CVE-2015-8895 ImageMagick: Integer and buffer overflow in coders/icon.c CVE-2015-8896 ImageMagick: Integer truncation vulnerability in coders/pict.c CVE-2016-5240 ImageMagick: SVG converting issue resulting in DoS CVE-2016-5239 ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection CVE-2016-5118 ImageMagick: Remote code execution via filename CVE-2015-8898 ImageMagick: Prevent NULL pointer access in magick/constitute.c CVE-2015-8897 ImageMagick: Crash due to out of bounds error in SpliceImage cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1277: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2361921. Security Fixes: * A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. (CVE-2016-4565, Important) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled sctp_accept() during the processing of heartbeat timeout events. A remote attacker could use this flaw to prevent further connections to be accepted by the SCTP server running on the system, resulting in a denial of service. (CVE-2015-8767, Moderate) Red Hat would like to thank Jann Horn for reporting CVE-2016-4565. Bug Fixes: * When Small Computer System Interface (SCSI) devices were removed or deleted, a system crash could occur due to a race condition between listing all SCSI devices and SCSI device removal. The provided patch ensures that the starting node for the klist_iter_init_node() function is actually a member of the list before using it. As a result, a system crash no longer occurs in the described scenario. (BZ#1333403) * This update offers a reworked series of patches for the resizable hash table (rhashtable) including a number of backported bug fixes and enhancements from upstream. (BZ#1328801) * Previously, the same value of the mperf Model-Specific Register (MSR) read twice in a row could lead to a kernel panic due to the divide-by-zero error. The provided patch fixes this bug, and the kernel now handles two identical values of mperf gracefully. (BZ#1334438) * When a transparent proxy application was running and the number of established connections on the computer exceeded one million, unrelated processes, such as curl or ssh, were unable to bind to a local IP on the box to initiate a connection. The provided patch fixes the cooperation of the REUSEADDR/NOREUSEADDR socket option, and thus prevents the local port from being exhausted. As a result, the aforementioned bug no longer occurs in the described scenario. (BZ#1323960) * Previously, the kernel support for non-local bind for the IPv6 protocol was incomplete. As a consequence, an attempt to bind a socket to an IPv6 address that is not assigned to the host could fail. The provided patch includes changes in the ip_nonlocal_bind variable, which is now set to allow binding to an IPv6 address that is not assigned to the host. As a result, Linux servers are now able to bind to non-local IPv6 addresses as expected. (BZ#1324502) * On some servers with a faster CPU, USB initialization could previously lead to a kernel hang during boot. If this inconvenience occurred when booting the second kernel during the kdump operation, the kdump service failed and the vmcore was lost. The provided upstream patch fixes this bug, and the kernel no longer hangs after USB initialization. (BZ#1327581) * Previously, when running iperf servers using the mlx4_en module, a kernel panic occurred. The underlying source code has been fixed, and the kernel panic no longer occurs in the described scenario. (BZ#1327583) Important Copyright 2016 Red Hat, Inc. CVE-2015-8767 CVE-2016-4565 CVE-2015-8767 kernel: SCTP denial of service during timeout CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1292: libxml2 security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2016-1834, CVE-2016-1840) Multiple denial of service flaws were found in libxml2. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, could cause that application to crash. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) Important Copyright 2016 Red Hat, Inc. CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral CVE-2016-4448 libxml2: Format string vulnerability CVE-2016-4449 libxml2: Inappropriate fetch of entities content CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1293: setroubleshoot and setroubleshoot-plugins security update (Important) Red Hat Enterprise Linux 7 The setroubleshoot packages provide tools to help diagnose SELinux problems. When Access Vector Cache (AVC) messages are returned, an alert can be generated that provides information about the problem and helps to track its resolution. The setroubleshoot-plugins package provides a set of analysis plugins for use with setroubleshoot. Each plugin has the capacity to analyze SELinux AVC data and system data to provide user friendly reports describing how to interpret SELinux AVC denials. Security Fix(es): * Shell command injection flaws were found in the way the setroubleshoot executed external commands. A local attacker able to trigger certain SELinux denials could use these flaws to execute arbitrary code with privileges of the setroubleshoot user. (CVE-2016-4989) * Shell command injection flaws were found in the way the setroubleshoot allow_execmod and allow_execstack plugins executed external commands. A local attacker able to trigger an execmod or execstack SELinux denial could use these flaws to execute arbitrary code with privileges of the setroubleshoot user. (CVE-2016-4444, CVE-2016-4446) The CVE-2016-4444 and CVE-2016-4446 issues were discovered by Milos Malik (Red Hat) and the CVE-2016-4989 issue was discovered by Red Hat Product Security. Note: On Red Hat Enterprise Linux 7.0 and 7.1, the setroubleshoot is run with root privileges. Therefore, these issues could allow an attacker to execute arbitrary code with root privileges. Important Copyright 2016 Red Hat, Inc. CVE-2016-4444 CVE-2016-4446 CVE-2016-4989 CVE-2016-4444 setroubleshoot-plugins: insecure commands.getstatusoutput use in the allow_execmod plugin CVE-2016-4446 setroubleshoot-plugins: insecure commands.getoutput use in the allow_execstack plugin CVE-2016-4989 setroubleshoot: command injection issues cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1296: ocaml security update (Moderate) Red Hat Enterprise Linux 7 OCaml is a high-level, strongly-typed, functional, and object-oriented programming language from the ML family of languages. The ocaml packages contain two batch compilers (a fast bytecode compiler and an optimizing native-code compiler), an interactive top level system, parsing tools (Lex, Yacc, Camlp4), a replay debugger, a documentation generator, and a comprehensive library. Security Fix(es): * OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes size arguments to internal memmove calls to be sign-extended from 32- to 64-bits before being passed to the memmove function. This leads to arguments between 2GiB and 4GiB being interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow. Further, arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak. (CVE-2015-8869) Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8869 CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1301: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a newer upstream version: kernel-rt (3.10.0-327.22.1). This version provides a number of bug fixes and enhancements, including: * [netdrv] ixgbevf: fix spoofed packets with random MAC and use ether_addr_copy instead of memcpy * [mm] mmu_notifier: fix memory corruption * [mm] hugetlbfs: optimize when NUMA=n * [mm] optimize put_mems_allowed() usage * [x86] mm: suitable memory should go to ZONE_MOVABLE * [fs] xfs: fix splice/direct-IO deadlock * [acpi] tables: Add acpi_subtable_proc to ACPI table parsers * [acpi] table: Add new function to get table entries * [net] ipv6: Nonlocal bind * [net] ipv4: bind ip_nonlocal_bind to current netns (BZ#1335747) Security Fix(es): * A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. (CVE-2016-4565, Important) * A race condition flaw was found in the way the Linux kernel's SCTP implementation handled sctp_accept() during the processing of heartbeat timeout events. A remote attacker could use this flaw to prevent further connections to be accepted by the SCTP server running on the system, resulting in a denial of service. (CVE-2015-8767, Moderate) * A flaw was found in the way the realtime kernel processed specially crafted ICMP echo requests. A remote attacker could use this flaw to trigger a sysrql function based on values in the ICMP packet, allowing them to remotely restart the system. Note that this feature is not enabled by default and requires elevated privileges to be configured. (CVE-2016-3707, Moderate) Red Hat would like to thank Jann Horn for reporting CVE-2016-4565. Bug Fix(es): * Previously, configuration changes to the Hewlett Packard Smart Array (HPSA) driver during I/O operations could set the phys_disk pointer to NULL. Consequently, kernel oops could occur while the HPSA driver was submitting ioaccel2 commands. An upstream patch has been provided to fix this bug, and the oops in the hpsa_scsi_ioaccel_raid_map() function no longer occurs. (BZ#1335411) * In a previous code update one extra spin_lock operation was left untouched. Consequently, a deadlock could occur when looping through cache pages. With this update, the extra lock operation has been removed from the source code and the deadlock no longer occurs in the described situation. (BZ#1327073) Important Copyright 2016 Red Hat, Inc. CVE-2015-8767 CVE-2016-3707 CVE-2016-4565 CVE-2015-8767 kernel: SCTP denial of service during timeout CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko deadlock in fscache code (merge error) CVE-2016-3707 kernel-rt: Sending SysRq command via ICMP echo request rt: Use IPI to trigger RT task push migration instead of pulling kernel-rt: update to the RHEL7.2.z batch#5 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:1392: thunderbird security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.2.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-2818) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel, Sylvestre Ledru, Julian Seward, Olli Pettay, and Karl Tomlinson as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-2818 CVE-2016-2818 Mozilla: Miscellaneous memory safety hazards (rv:45.2) (MFSA 2016-49) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1422: httpd security and bug fix update (Important) Red Hat Enterprise Linux 7 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es): * In a caching proxy configuration, the mod_cache module would treat content as stale if the Expires header changed when refreshing a cached response. As a consequence, an origin server returning content without a fixed Expires header would not be treated as cacheable. The mod_cache module has been fixed to ignore changes in the Expires header when refreshing content. As a result, such content is now cacheable, improving performance and reducing load at the origin server. (BZ#1347648) * The HTTP status code 451 "Unavailable For Legal Reasons" was not usable in the httpd configuration. As a consequence, modules such as mod_rewrite could not be configured to return a 451 error if required for legal purposes. The 451 status code has been added to the list of available error codes, and modules can now be configured to return a 451 error if required. (BZ#1353269) Important Copyright 2016 Red Hat, Inc. CVE-2016-5387 Apache can not cache content if Expires header is modified Support sending http 451 status code from RewriteRule CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1458: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Critical Copyright 2016 Red Hat, Inc. CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550 CVE-2016-3587 CVE-2016-3598 CVE-2016-3606 CVE-2016-3610 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985) CVE-2016-3587 OpenJDK: insufficient protection of MethodHandle.invokeBasic() (Hotspot, 8154475) CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571) CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1486: samba security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. (CVE-2016-2119) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher as the original reporter. Bug Fix(es): * Previously, the "net" command in some cases failed to join the client to Active Directory (AD) because the permissions setting prevented modification of the supported Kerberos encryption type LDAP attribute. With this update, Samba has been fixed to allow joining an AD domain as a user. In addition, Samba now uses the machine account credentials to set up the Kerberos encryption types within AD for the joined machine. As a result, using "net" to join a domain now works more reliably. (BZ#1351260) * Previously, the idmap_hash module worked incorrectly when it was used together with other modules. As a consequence, user and group IDs were not mapped properly. A patch has been applied to skip already configured modules. Now, the hash module can be used as the default idmap configuration back end and IDs are resolved correctly. (BZ#1350759) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-2119 idmap_hash module works incorrectly when used with other backend modules net ads join throws "Failed to join domain: failed to set machine kerberos encryption types: Insufficient access" CVE-2016-2119 samba: Client side SMB2/3 required signing can be downgraded cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1504: java-1.7.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es): * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Important Copyright 2016 Red Hat, Inc. CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550 CVE-2016-3598 CVE-2016-3606 CVE-2016-3610 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985) CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571) CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1538: golang security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es): * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTP_PROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTP_PROXY" is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 CVE-2016-3959 CVE-2016-5386 REBASE to golang 1.6 CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1539: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2460971. Security Fix(es): * A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important) * The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application. (CVE-2015-8660, Moderate) * It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate) Red Hat would like to thank Nathan Williams for reporting CVE-2015-8660. The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.). Bug Fix(es): * The glibc headers and the Linux headers share certain definitions of key structures that are required to be defined in kernel and in userspace. In some instances both userspace and sanitized kernel headers have to be included in order to get the structure definitions required by the user program. Unfortunately because the glibc and Linux headers don't coordinate this can result in compilation errors. The glibc headers have therefore been fixed to coordinate with Linux UAPI-based headers. With the header coordination compilation errors no longer occur. (BZ#1331285) * When running the TCP/IPv6 traffic over the mlx4_en networking interface on the big endian architectures, call traces reporting about a "hw csum failure" could occur. With this update, the mlx4_en driver has been fixed by correction of the checksum calculation for the big endian architectures. As a result, the call trace error no longer appears in the log messages. (BZ#1337431) * Under significant load, some applications such as logshifter could generate bursts of log messages too large for the system logger to spool. Due to a race condition, log messages from that application could then be lost even after the log volume dropped to manageable levels. This update fixes the kernel mechanism used to notify the transmitter end of the socket used by the system logger that more space is available on the receiver side, removing a race condition which previously caused the sender to stop transmitting new messages and allowing all log messages to be processed correctly. (BZ#1337513) * Previously, after heavy open or close of the Accelerator Function Unit (AFU) contexts, the interrupt packet went out and the AFU context did not see any interrupts. Consequently, a kernel panic could occur. The provided patch set fixes handling of the interrupt requests, and kernel panic no longer occurs in the described situation. (BZ#1338886) * net: recvfrom would fail on short buffer. (BZ#1339115) * Backport rhashtable changes from upstream. (BZ#1343639) * Server Crashing after starting Glusterd & creating volumes. (BZ#1344234) * RAID5 reshape deadlock fix. (BZ#1344313) * BDX perf uncore support fix. (BZ#1347374) Important Copyright 2016 Red Hat, Inc. CVE-2015-8660 CVE-2016-2143 CVE-2016-4470 CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up CVE-2016-2143 kernel: Fork of large process causes memory corruption CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1541: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. * A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important) * The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application. (CVE-2015-8660, Moderate) Red Hat would like to thank Nathan Williams for reporting CVE-2015-8660. The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.). The kernel-rt packages have been upgraded to the kernel-3.10.0-327.28.2.el7 source tree, which provides a number of bug fixes over the previous version. (BZ#1350307) This update also fixes the following bugs: * Previously, use of the get/put_cpu_var() function in function refill_stock() from the memcontrol cgroup code lead to a "scheduling while atomic" warning. With this update, refill_stock() uses the get/put_cpu_light() function instead, and the warnings no longer appear. (BZ#1347171) * Prior to this update, if a real time task pinned to a given CPU was taking 100% of the CPU time, then calls to the lru_add_drain_all() function on other CPUs blocked for an undetermined amount of time. This caused latencies and undesired side effects. With this update, lru_add_drain_all() has been changed to drain the LRU pagevecs of remote CPUs. (BZ#1348523) Important Copyright 2016 Red Hat, Inc. CVE-2015-8660 CVE-2016-4470 CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path kernel-rt: update to the RHEL7.2.z batch#6 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:1546: libtiff security update (Important) Red Hat Enterprise Linux 7 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320) * Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991) Important Copyright 2016 Red Hat, Inc. CVE-2014-8127 CVE-2014-8129 CVE-2014-8130 CVE-2014-9330 CVE-2014-9655 CVE-2015-1547 CVE-2015-7554 CVE-2015-8665 CVE-2015-8668 CVE-2015-8683 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8784 CVE-2016-3632 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5320 CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff CVE-2014-8127 libtiff: out-of-bounds read with malformed TIFF image in multiple tools CVE-2014-8129 libtiff: out-of-bounds read/write with malformed TIFF image in tiff2pdf CVE-2014-8130 libtiff: divide by zero in the tiffdither tool CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags CVE-2015-8668 libtiff: OOB read in bmp2tiff CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() CVE-2016-3945 libtiff: out-of-bounds write in the tiff2rgba tool CVE-2016-3632 libtiff: out-of-bounds write in _TIFFVGetField function CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8() CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1551: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.3.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-2836, CVE-2016-5258, CVE-2016-5259, CVE-2016-5252, CVE-2016-5263, CVE-2016-2830, CVE-2016-2838, CVE-2016-5254, CVE-2016-5262, CVE-2016-5264, CVE-2016-5265, CVE-2016-2837) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Looben Yang, Carsten Book, Christian Holler, Gary Kwong, Jesse Ruderman, Andrew McCreight, Phil Ringnalda, Philipp, Toni Huttunen, Georg Koppen, Abhishek Arya, Atte Kettunen, Nils, Nikita Arykov, and Abdulrahman Alqabandi as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-2830 CVE-2016-2836 CVE-2016-2837 CVE-2016-2838 CVE-2016-5252 CVE-2016-5254 CVE-2016-5258 CVE-2016-5259 CVE-2016-5262 CVE-2016-5263 CVE-2016-5264 CVE-2016-5265 CVE-2016-2830 Mozilla: Favicon network connection persists when page is closed (MFSA 2016-62) CVE-2016-2836 Mozilla: Miscellaneous memory safety hazards (rv:45.3) (MFSA 2016-62) CVE-2016-2838 Mozilla: Buffer overflow rendering SVG with bidirectional content (MFSA 2016-64) CVE-2016-5252 Mozilla: Stack underflow during 2D graphics rendering (MFSA 2016-67) CVE-2016-5254 Mozilla: Use-after-free when using alt key and toplevel menus (MFSA 2016-70) CVE-2016-5258 Mozilla: Use-after-free in DTLS during WebRTC session shutdown (MFSA 2016-72) CVE-2016-5259 Mozilla: Use-after-free in service workers with nested sync events (MFSA 2016-73) CVE-2016-5262 Mozilla: Scripts on marquee tag can execute in sandboxed iframes (MFSA 2016-76) CVE-2016-2837 Mozilla: Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback (MFSA 2016-77) CVE-2016-5263 Mozilla: Type confusion in display transformation (MFSA 2016-78) CVE-2016-5264 Mozilla: Use-after-free when applying SVG effects (MFSA 2016-79) CVE-2016-5265 Mozilla: Same-origin policy violation using local HTML file and saved shortcut file (MFSA 2016-80) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1602: mariadb security update (Important) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.50). Security Fix(es): * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory pages, listed in the References section. (CVE-2016-0640, CVE-2016-0641, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0666, CVE-2016-3452, CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440, CVE-2016-5444) Important Copyright 2016 Red Hat, Inc. CVE-2016-0640 CVE-2016-0641 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-3452 CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440 CVE-2016-5444 CVE-2016-0640 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) CVE-2016-0641 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU April 2016) CVE-2016-0643 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) CVE-2016-0644 mysql: unspecified vulnerability in subcomponent: Server: DDL (CPU April 2016) CVE-2016-0646 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) CVE-2016-0647 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU April 2016) CVE-2016-0648 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016) CVE-2016-0649 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016) CVE-2016-0650 mysql: unspecified vulnerability in subcomponent: Server: Replication (CPU April 2016) CVE-2016-0666 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU April 2016) CVE-2016-3452 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU July 2016) CVE-2016-3477 mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016) CVE-2016-3521 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU July 2016) CVE-2016-3615 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU July 2016) CVE-2016-5440 mysql: unspecified vulnerability in subcomponent: Server: RBR (CPU July 2016) CVE-2016-5444 mysql: unspecified vulnerability in subcomponent: Server: Connection (CPU July 2016) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1606: qemu-kvm security update (Moderate) Red Hat Enterprise Linux 7 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es): * Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126) * Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403) Red Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5126 CVE-2016-5403 CVE-2016-5126 Qemu: block: iscsi: buffer overflow in iscsi_aio_ioctl CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest leading to DoS cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1613: php security and bug fix update (Moderate) Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): * It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Bug Fix(es): * Previously, an incorrect logic in the SAPI header callback routine caused that the callback counter was not incremented. Consequently, when a script included a header callback, it could terminate unexpectedly with a segmentation fault. With this update, the callback counter is properly managed, and scripts with a header callback implementation work as expected. (BZ#1346758) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5385 Segmentation fault while header_register_callback CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1626: python security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000110) * It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. (CVE-2016-0772) * It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. (CVE-2016-5699) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0772 CVE-2016-1000110 CVE-2016-5699 CVE-2016-0772 python: smtplib StartTLS stripping attack CVE-2016-5699 python: http protocol steam injection attack Python brew builds fail for RHEL 7.2 CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header Upstream tests cause building python package on brew stall and leave orphan processes that need manually kill cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1632: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important) Red Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-5696 CVE-2016-5696 kernel: challenge ACK counter information disclosure. cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:1633: kernel security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important) Red Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-5696 CVE-2016-5696 kernel: challenge ACK counter information disclosure. cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1776: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Security Fix(es): * An insufficient bytecode verification flaw was discovered in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to completely bypass Java sandbox restrictions. (CVE-2016-3606) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Important Copyright 2016 Red Hat, Inc. CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550 CVE-2016-3606 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1797: ipa security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the 'retrieve certificate' permission enabled could use this flaw to revoke certificates, possibly triggering a denial of service attack. (CVE-2016-5404) This issue was discovered by Fraser Tweedale (Red Hat). Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5404 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1809: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.3.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-2836) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Carsten Book, Christian Holler, Gary Kwong, Jesse Ruderman, Andrew McCreight, Phil Ringnalda, and Philipp as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-2836 CVE-2016-2836 Mozilla: Miscellaneous memory safety hazards (rv:45.3) (MFSA 2016-62) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1844: libarchive security update (Important) Red Hat Enterprise Linux 7 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. Security Fix(es): * A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418) * Multiple out-of-bounds write flaws were found in libarchive. Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302) * Multiple out-of-bounds read flaws were found in libarchive. Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8934) * Multiple NULL pointer dereference flaws were found in libarchive. Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922) * Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166, CVE-2015-8930) * A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash. (CVE-2016-4809) * An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250) * Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931, CVE-2015-8932, CVE-2016-5844) Red Hat would like to thank Insomnia Security for reporting CVE-2016-5418. Important Copyright 2016 Red Hat, Inc. CVE-2015-8916 CVE-2015-8917 CVE-2015-8919 CVE-2015-8920 CVE-2015-8921 CVE-2015-8922 CVE-2015-8923 CVE-2015-8924 CVE-2015-8925 CVE-2015-8926 CVE-2015-8928 CVE-2015-8930 CVE-2015-8931 CVE-2015-8932 CVE-2015-8934 CVE-2016-1541 CVE-2016-4300 CVE-2016-4302 CVE-2016-4809 CVE-2016-5418 CVE-2016-5844 CVE-2016-6250 CVE-2016-7166 CVE-2016-1541 libarchive: zip_read_mac_metadata() heap-based buffer overflow CVE-2016-4809 libarchive: Memory allocate error with symbolic links in cpio archives CVE-2016-6250 libarchive: Buffer overflow when writing large iso9660 containers CVE-2016-7166 libarchive: Denial of service using a crafted gzip file CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar CVE-2015-8917 libarchive: NULL pointer access in CAB parser CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser CVE-2015-8920 libarchive: Stack out of bounds read in ar parser CVE-2015-8922 libarchive: NULL pointer access in 7z parser CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser CVE-2015-8926 libarchive: NULL pointer access in RAR parser CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser CVE-2016-4300 libarchive: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo CVE-2016-4302 libarchive: Heap buffer overflow in the Rar decompression functionality CVE-2015-8921 libarchive: Global out of bounds read in mtree parser CVE-2015-8923 libarchive: Unclear crashes in ZIP parser CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser CVE-2015-8932 libarchive: Undefined behavior / invalid shiftleft in TAR parser CVE-2015-8930 libarchive: Endless loop in ISO parser CVE-2015-8934 libarchive: out of bounds heap read in RAR parser CVE-2016-5844 libarchive: undefined behaviour (integer overflow) in iso parser CVE-2016-5418 libarchive: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1847: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A security flaw was found in the Linux kernel in the mark_source_chains() function in "net/ipv4/netfilter/ip_tables.c". It is possible for a user-supplied "ipt_entry" structure to have a large "next_offset" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Bug Fix(es): * In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947) * Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a null pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040) * Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302) * Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972) Enhancement(s): * With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the "-F exe=<path-to-executable>" option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774) * With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352) * The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161) Additional Changes: Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321 Important Copyright 2016 Red Hat, Inc. CVE-2016-3134 CVE-2016-4997 CVE-2016-4998 CVE-2016-6197 CVE-2016-6198 CVE-2016-3134 kernel: netfilter: missing bounds check in ipt_entry structure CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt CVE-2016-4998 kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1875: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. The kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ#1366538) Security Fix(es): * A security flaw was found in the Linux kernel in the mark_source_chains() function in "net/ipv4/netfilter/ip_tables.c". It is possible for a user-supplied "ipt_entry" structure to have a large "next_offset" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Important Copyright 2016 Red Hat, Inc. CVE-2016-3134 CVE-2016-4997 CVE-2016-4998 CVE-2016-6197 CVE-2016-6198 CVE-2016-3134 kernel: netfilter: missing bounds check in ipt_entry structure CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt CVE-2016-4998 kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt kernel-rt: update to the RHEL7.2.z batch#7 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:1912: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.4.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5257, CVE-2016-5278, CVE-2016-5270, CVE-2016-5272, CVE-2016-5274, CVE-2016-5276, CVE-2016-5277, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Samuel Groß, Brian Carpenter, Mei Wang, Ryan Duff, Catalin Dumitru, Mozilla developers, Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, Carsten Book, Abhishek Arya, Atte Kettunen, and Nils as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-5250 CVE-2016-5257 CVE-2016-5261 CVE-2016-5270 CVE-2016-5272 CVE-2016-5274 CVE-2016-5276 CVE-2016-5277 CVE-2016-5278 CVE-2016-5280 CVE-2016-5281 CVE-2016-5284 CVE-2016-5261 Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86) CVE-2016-5250 Mozilla: Resource Timing API is storing resources sent by the previous page (MFSA 2016-84, MFSA 2016-86) CVE-2016-5257 Mozilla: Memory safety bugs fixed in Firefox ESR 45.4 (MFSA 2016-85, MFSA 2016-86) CVE-2016-5278 Mozilla: Heap-buffer-overflow in nsBMPEncoder::AddImageFrame (MFSA 2016-85, MFSA 2016-86) CVE-2016-5270 Mozilla: Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString (MFSA 2016-85, MFSA 2016-86) CVE-2016-5272 Mozilla: Bad cast in nsImageGeometryMixin (MFSA 2016-85, MFSA 2016-86) CVE-2016-5276 Mozilla: Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList (MFSA 2016-85, MFSA 2016-86) CVE-2016-5274 Mozilla: use-after-free in nsFrameManager::CaptureFrameState (MFSA 2016-85, MFSA 2016-86) CVE-2016-5277 Mozilla: Heap-use-after-free in nsRefreshDriver::Tick (MFSA 2016-85, MFSA 2016-86) CVE-2016-5280 Mozilla: Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap (MFSA 2016-85, MFSA 2016-86) CVE-2016-5281 Mozilla: use-after-free in DOMSVGLength (MFSA 2016-85, MFSA 2016-86) CVE-2016-5284 Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:1940: openssl security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178) * It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. (CVE-2016-2179) * A flaw was found in the Datagram TLS (DTLS) replay protection implementation in OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. (CVE-2016-2181) * An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code. (CVE-2016-2182) * A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default. * An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets. (CVE-2016-6302) * Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177) * An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker. (CVE-2016-2180) * Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. (CVE-2016-6306) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304 and CVE-2016-6306; and Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183. Important Copyright 2016 Red Hat, Inc. CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-6302 CVE-2016-6304 CVE-2016-6306 CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio() CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks CVE-2016-6306 openssl: certificate message OOB reads CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:1944: bind security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. (CVE-2016-2776) Red Hat would like to thank ISC for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-2776 CVE-2016-2776 bind: assertion failure in buffer.c while building responses to a specifically constructed request cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:1978: python-twisted-web security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es): * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-1000111 CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:1985: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.4.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-5257) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp and Carsten Book as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-5257 CVE-2016-5257 Mozilla: Memory safety bugs fixed in Firefox ESR 45.4 (MFSA 2016-85, MFSA 2016-86) cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2046: tomcat security update (Important) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. Important Copyright 2016 Red Hat, Inc. CVE-2014-7810 CVE-2015-5346 CVE-2016-5388 CVE-2016-5425 CVE-2016-6325 CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions CVE-2015-5346 tomcat: Session fixation CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2047: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path as an unlimited recursion could unfold in both VLAN and TEB modules leading to a stack corruption in the kernel. (CVE-2016-7039, Important) Important Copyright 2016 Red Hat, Inc. CVE-2016-7039 CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2079: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. (CVE-2016-5582) * It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim's browser send HTTP requests to the JDWP port of the debugged application. (CVE-2016-5573) * It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2016-5542) Note: After this update, MD2 hash algorithm and RSA keys with less than 1024 bits are no longer allowed to be used for Jar integrity verification by default. MD5 hash algorithm is expected to be disabled by default in the future updates. A newly introduced security property jdk.jar.disabledAlgorithms can be used to control the set of disabled algorithms. * A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554) * A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. (CVE-2016-5597) Note: After this update, Basic HTTP proxy authentication can no longer be used when tunneling HTTPS connection through an HTTP proxy. Newly introduced system properties jdk.http.auth.proxying.disabledSchemes and jdk.http.auth.tunneling.disabledSchemes can be used to control which authentication schemes can be requested by an HTTP proxy when proxying HTTP and HTTPS connections respectively. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Critical Copyright 2016 Red Hat, Inc. CVE-2016-10165 CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2098: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) Red Hat would like to thank Phil Oester for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-5195 CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2110: kernel-rt security update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. Important Copyright 2016 Red Hat, Inc. CVE-2016-5195 CVE-2016-7039 CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:2573: glibc security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A stack overflow vulnerability was found in _nss_dns_getnetbyname_r. On systems with nsswitch configured to include "networks: dns" with a privileged or network-facing service that would attempt to resolve user-provided network names, an attacker could provide an excessively long network name, resulting in stack corruption and code execution. (CVE-2016-3075) This issue was discovered by Florian Weimer (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-3075 Locale alias no_NO.ISO-8859-1 not working. sem_post/sem_wait race causing sem_post to return EINVAL Test suite failure: tst-mqueue5 CVE-2015-5277 glibc: nss_files doesn't detect ERANGE problems correctly [rhel-7.3] Unexpected results from using posix_fallocate with nfs target ld.so crash when audit modules provide path iconv: missing support for HKSCS-2008 in BIG5-HKSCS in rhel7 glibc "monstartup: out of memory" on PPC64LE glibc: malloc may fall back to calling mmap prematurely if arenas are contended glibc: hide backtrace from tst-malloc-backtrace malloc: arena free list can become cyclic, increasing contention CVE-2015-5229 glibc: calloc() returns non-zero'ed memory [rhel-7.3.0] Backport test-skeleton.c conversions. invalid fastbin entry (free), missing glibc patch glibc: NULL pointer dereference in stub resolver with unconnectable name server addresses CVE-2016-3075 glibc: Stack overflow in nss_dns_getnetbyname_r aarch64: MINSIGSTKSZ is (much) too small glibc: Fix aarch64 ABI issues glibc: debug/tst-longjump_chk2 calls printf from a signal handler cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2574: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important) * Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578) Red Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Important Copyright 2016 Red Hat, Inc. CVE-2013-4312 CVE-2015-8374 CVE-2015-8543 CVE-2015-8746 CVE-2015-8812 CVE-2015-8844 CVE-2015-8845 CVE-2015-8956 CVE-2016-2053 CVE-2016-2069 CVE-2016-2117 CVE-2016-2384 CVE-2016-2847 CVE-2016-3044 CVE-2016-3070 CVE-2016-3156 CVE-2016-3699 CVE-2016-3841 CVE-2016-4569 CVE-2016-4578 CVE-2016-4581 CVE-2016-4794 CVE-2016-5412 CVE-2016-5828 CVE-2016-5829 CVE-2016-6136 CVE-2016-6198 CVE-2016-6327 CVE-2016-6480 CVE-2016-7914 CVE-2016-7915 CVE-2016-9794 Xen guests may hang after migration or suspend/resume qdisc: address unexpected behavior when attaching qdisc to virtual device Backtrace after unclean shutdown with XFS v5 and project quotas XFS needs to better handle EIO and ENOSPC Test case failure: Screen - Resolution after no Screen Boot on Intel Valley View Gen7 [8086:0f31] panic in iscsi_target.c cannot mount RHEL7 NFS server with nfsvers=4.1,sec=krb5 but nfsvers=4.0,sec=krb5 works CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS Tool thin_dump failing to show 'mappings' CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference device mapper hung tasks on an openshift/docker system CVE-2015-8746 kernel: when NFSv4 migration is executed, kernel oops occurs at NFS client CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted VFIO: include no-IOMMU mode - not supported soft lockup in nfs4_put_stid with 3.10.0-327.4.4.el7 CVE-2016-2053 kernel: Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature() CVE-2016-2069 kernel: race condition in the TLB flush logic MAC address of VF is not editable even when attached to host CVE-2015-8812 kernel: CXGB3: Logic bug in return code handling prematurely frees key structures causing Use after free or kernel panic. XFS support for deferred dio completion fstrim failing on mdadm raid 5 device CVE-2016-2384 kernel: double-free in usb-audio triggered by invalid USB descriptor CVE-2016-3070 kernel: Null pointer dereference in trace_writeback_dirty_page() CVE-2016-2117 kernel: Kernel memory leakage to ethernet frames due to buffer overflow in ethernet drivers CVE-2016-2847 kernel: pipe: limit the per-user amount of pages allocated in pipes CVE-2016-3156 kernel: ipv4: denial of service when destroying a network interface BUG: s390 socketcall() syscalls audited with wrong value in field a0 CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific registers from userspace CVE-2016-3699 kernel: ACPI table override allowed when securelevel is enabled CVE-2016-4581 kernel: Slave being first propagated copy causes oops in propagate_mnt CVE-2016-4569 kernel: Information leak in Linux sound module in timer.c CVE-2016-4578 kernel: Information leak in events in timer.c CVE-2016-4794 kernel: Use after free in array_map_alloc T460[p/s] audio output on dock won't work CVE-2016-5412 Kernel: powerpc: kvm: Infinite loop via H_CEDE hypercall when running under hypervisor-mode CVE-2016-5828 Kernel: powerpc: tm: crash via exec system call on PPC CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command CVE-2016-6198 kernel: vfs: missing detection of hardlinks in vfs_rename() on overlayfs [Hyper-V][RHEL 7.2] VMs panic when configured with Dynamic Memory as opposed to Static Memory CVE-2016-6480 kernel: scsi: aacraid: double fetch in ioctl_send_fib() CVE-2016-3841 kernel: use-after-free via crafted IPV6 sendmsg for raw / tcp / udp / l2tp sockets. CVE-2015-8956 kernel: NULL dereference in RFCOMM bind callback cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2575: curl security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5419) * It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5420) * It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-7141) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5419 CVE-2016-5420 CVE-2016-7141 curl and libcurl truncates username/password in URL to 255 characters Certificate verification fails with multiple https urls [el7/curl] curl requires public ssh key file [RHEL-7] --disable-epsv option ignored for IPv6 hosts Ceph RGW deadlocks in curl_multi_wait CVE-2016-5419 curl: TLS session resumption client cert bypass CVE-2016-5420 curl: Re-using connection with wrong client cert CVE-2016-7141 curl: Incorrect reuse of client certificates cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2576: libguestfs and virt-p2v security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The libguestfs packages contain a library, which is used for accessing and modifying virtual machine (VM) disk images. Virt-p2v is a tool for conversion of a physical server to a virtual guest. The following packages have been upgraded to a newer upstream version: libguestfs (1.32.7), virt-p2v (1.32.7). (BZ#1218766) Security Fix(es): * An integer conversion flaw was found in the way OCaml's String handled its length. Certain operations on an excessively long String could trigger a buffer overflow or result in an information leak. (CVE-2015-8869) Note: The libguestfs packages in this advisory were rebuilt with a fixed version of OCaml to address this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8869 RFE: virt-p2v: display more information about storage devices virt-sparsify fails if a btrfs filesystem contains readonly snapshots virt-builder gives GPG warning message with gnupg2 Remove files in package libguestfs-bash-completion, these files are bash completion files, some of the virt tool completion are already implement in another file, so can remove its completion file set-label can only set <=127 bytes for btrfs and <=126 bytes for ntfs filesystem which not meet the help message. Also for ntfs it should give a warning message when the length >128 bytes btrfs filesystem will not work well if you create the filesystem with multiple disks at the same time, such as: mkfs-btrfs "/dev/sda1 /dev/sdb1" P2V: invalid conversion server prints unexpected end of file waiting for password prompt. RFE: allow passing in a pre-opened libvirt connection from python "lstatnslist" and "lstatlist" don't give an error if the API is used wrongly File /etc/sysconfig/kernel isn't updated when convert XenPV guest with regular kernel installed Security context on image file gets reset Support virt-v2v conversion of Windows > 7 virt-v2v: warning: unknown guest operating system: windows windows 6.3 when converting win8,win8.1,win2012,win2012R2,win10 to rhev Fail to import win8/win2012 to rhev with error "selected display type is not supported" Rebase libguestfs in RHEL 7.3 Wrong video driver is installed for rhel5.11 guest after conversion to libvirt P2V invalid password prints unexpected end of file waiting for command prompt. virt-p2v: Using "Back" button causes output list to be repopulated multiple times Unrelated info in fstab makes virt-v2v fail with unclear error info virt-p2v in non-GUI mode doesn't show any conversion progress or status v2v:Duplicate disk target set when convert guest with cdrom attached appliance fails to start with "supermin: ext2fs_file_write: /var/log/tallylog: Could not allocate block in ext2 filesystem" mount-loop failed to setup loop device: No such file or directory virt-builder --ssh-inject doesn't set proper permissions on created files virt-v2v should prevent using '-of' option appears twice on the command line No warning shows when convert a win7 guest with AVG AntiVirus installed virt-builder/virt-customize set password does not work ppc64le: virt-customize --install fail to detect the guest arch guestfish copy-in command behaves oddly/unexpectedly with wildcards Virt-p2v client shouldn't present the vdsm option because it's not usable RFE: virt-sparsify: make '--in-place' sparsification safe to abort (gracefully or ungracefully) Remove virt-v2v support for ppc64le guestfish should be able to handle LVM thin layouts Backport virt-v2v pull dcpath from libvirt <vmware:datacenterpath> There should be a reminder to avoid user to edit a guest image by multiple tools at the same time in guestfish man page virt-v2v doesn't remove VirtualBox additions correctly because of file quoting Running 'git clone' in virt-builder or virt-customize results in an error message virt-v2v does not copy additional disks to Glance OS name of win8.1 x64 guest shows incorrect in rhevm3.6 general info Wrong warning info "use standard VGA" shows when converting windows > 7 by virt-v2v error: internal error: Invalid floppy device name: hdb Filter perl provides Fail to install QXL driver for windows 2008r2 and win7 guest after conversion by virt-v2v virt-v2v -o libvirt doesn't preserve or use correct <graphics type="vnc|spice"> RFE: virt-p2v log window should process colour escapes and backspaces Remove reference info about --dcpath in virt-v2v manual page v2v cmd cannot exit and "block I/O error in device 'appliance': No space left on device (28)" is printed when specified "-v -x" virt-sysprep will fail detecting OS if "/usr" is a distinct partition mounted in "/" via fstab virt-v2v should prevent using multiple '-b' and '-n' option appears on the command line virt-v2v should prevent multiple conflicting for "-oa " Remove --in-place option in virt-v2v help Inspection does not parse /etc/redhat-release containing "Derived from Red Hat Enterprise Linux 7.1 (Source)" CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits Multiple network ports will not be aligned at p2v client [RFE] Suggestion give user a reminder for "Cancel conversion" button Testing connection timeout when input regular user of conversion server with checked "use sudo......"button virt-p2v spinner should be hidden when it stops spinning Ethtool command is not supported on p2v client virt-get-kernel prompts an 'invalid value' error when using --format auto Should remind a warning about disk image has a partition when using virt-p2v-make-disk Convert a guest from RHEL by virt-v2v but its origin info shows RHEV at rhevm Ifconfig command is not supported on p2v client Failure when disk contains an LV with activationskip=y Failed SSH to conversion server by ssh identity http url at p2v client [RFE]Should give a better description about 'curl error 22' when failed using ssh identity http url at p2v client virt-customize --truncate-recursive should give an error message when specifying a no-existing path virt-sysprep --install always failed to install the packages specified virt-p2v should update error prompt when 'Test connection' with a non-existing user in conversion server virt-inspector can not get windows drive letters for GPT disks Error info is not clear when failed ssh to conversion server using non-root user with password on p2v client Improve error info "remote server timeout unexpectedly waiting for password prompt" when connect to a bogus server at p2v client Virt-manager can't show OS icons of win7/win8/ubuntu guest. overlay of disk images does not specify the format of the backing file Some info will show when convert guest to libvirt by virt-v2v with parameter --quiet Fail to inspect Windows ISO file virt-dib failed to create image using DIB_YUM_REPO_CONF run_command runs exit handlers when execve fails (e.g. due to missing executable) Miscellaneous fixes to tool options Backport improved --selinux-relabel support for virt-sysprep, virt-builder, virt-customize virt-sparsify --in-place failed with UEFI system [virt-p2v]Failed to connect to conversion server while testing LSI-mpt2sas hardware which using bnx2x network driver Guest name is incorrect if convert guest from disk image by virt-v2v Converting rhel7 host installed on RAID:warning: fstrim: fstrim: /sysroot/: the discard operation is not supported OVMF file which is built for rhel7.3 can't be used for virt-v2v uefi conversion virt-manager coredump when vm with gluster image exists cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2577: libvirt security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). (BZ#830971, BZ#1286679) Security Fix(es): * It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) * A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) * It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-5160 CVE-2015-5313 CVE-2016-5008 Automagically iptables rules added by libvirt can't be avoided/disabled The virtual size of the vol should not be reduced after wiped qemu: could not load kernel ... Permission denied using polkit with virsh for non-root access does not work via ssh or locally RFE: virsh: provide easy pci-passthrough netdev attach command Libvirt should forbid or remove the duplicate <interface>/<address> subelements in <forward> element of virtual network libvirt should provide a more useful error message when a PCI controller is configured to plug into itself (bus = index) error message need be improved for q35 guest with wrong controller libvirt activate pool with invalid source. Volume download speed is slow [Doc] 3 problems in nwfilter doc Warn users against setting memory hard limit too high when used for mlock or rdma-pin-all Support the readonly attribute for SCSI passthrough devices virDevicePCIAddressParseXML check failed for PCI device 0000:00:00.0 Wrong allocation size when create/resize volumes in NFS pool [RFE] Hot Un-Plug CPU - Support dynamic virtual CPU deallocation - libvirt RFE: configure guest NUMA node locality for guest PCI devices glusterfs backend does not support discard (libvirt) Option shareable does not take effect after injecting a cdrom to guest by attach-disk libvirt reports json "backing file" is missing need a non-event way to determine qemu's current offset from utc migration will hang after use migrate with --graphicsuri and guest status will be locked [RFE] Update-device support update startupPolicy option to domain XML pool allocation value too large after volume creation Report better error message for reordered companion controllers Disk should be removed while using no-exist 'file' type volume with startupPolicy='optional' When set/update graphics password to empty, log in guest with spice and vnc show different behaviour [Power KVM] Floppy disk couldn't be detected on PPC64 guest [RFE] add virtio-gpu and virtio-vga support block job status is missing when zero-length copy job is in mirroring phase blockcopy always failed when with option "--pivot" Blockcopy for lun device changes disk type=block to file, however, it's unsupported configuration When libvirt automatically fill up SCSI virtual disk's target address, it doesn't check existing hostdev SCSI device's target address, and this will cause conflict. Libvirt does not generate guest USB addresses Guest show blackscreen after resume the guest which paused by watchdog wrong display of current memory after memory hot-plug update floppy command line options for QEMU's pc-q35-rhel7.2.0+ machine types [RFE] add virtio-input support Manually created LVM is deleted by virsh vol-create-as if it is having the same name Blockcopy always fail when use options "granularity" guest will have broken settings if we cold-unplug a vcpu which included in some domain vcpu sched RFE: Enable the intel-iommu device in QEMU Add multiqueue support for 'direct' interface types. Virsh client doesn't print error message when the connection is reset by server on some ocassion. Setvcpu should inherit the cputune value in cgroups was set before via schedinfo Guest agent should report proper error while guest agent was unreachable and restart libvirtd service error not right when set memtune but get failed libvirt should reject metadata elements not belonging to any namespace CVE-2015-5160 libvirt: Ceph id/key leaked in the process list RFE: libvirt: support multiple volume hosts for gluster volumes volume info has incorrect allocation value for extended partition. no error output when pass a negative number to setvcpus cpu-stats returns error messages with --start <number> (number >=32) iothreadpin will pin one of libvirtd thread with qemu 1.5 domfsinfo do not have output in quiet mode Change-media cannot insert if disk source element with startupPolicy libvirt produced ambiguous error message when create disk pool with a block device which has no disk label blkiotune cannot live update <weight> value into domain xml via --weight error should be improved when use some virsh command get failure libvirt shouldn't add extra "auth type" into domain xml when using iscsi volume disk with secret setting. libvirt could have a check to host node during use numatune guest which use big maxmemory will lose track after restart libvirtd RFE: support QXL vram64 parameter net-dhcp-leases should return error when parse invalid mac vpx: Include dcpath output in libvirt XML libvirt take too much time to redefine a guest when set a big iothreads Offline migration failed with memory device when guest is shutoff. Wrong error when call allocPages and specify a 0 page size Audit log entries for hot(un)plugged memory devices are sometimes incorrect libvirt should emit warning/error if vhostuser network device is used, but shared memory is not configured do not crash if a machine config in /etc/libvirt is missing a machine type Guest state "crashed" does not get updated after "virsh reset" Can't start VM with memory modules if memory placement is auto libvirt should escape possible invalid characters. Volume's allocation should be updated automatically while doing virsh vol-wipe Wrong display of numatune result if guest use numad advise Change media fail with virtio scsi cdrom when tray is open The vaule of Used memory in 'virsh dominfo' is 0 when the guest is shut off virsh client crash when pass an empty string to dump option format ppc64le: VFIO doesn't work for small guests (1 GiB) VM with attached VFIO device is powered off when trying to hotplug increase memory of VM. libvirt do not check the if the serial type is changed during migrate/save internal error: Invalid or not yet handled value 'emptyBackingString' for VMX entry 'ide1:0.fileName' for device type 'cdrom-image' Fail to create pool with a virtual HBA in NPIV CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw Libvirtd segment fault when create and destroy a fc_host pool with a short pause cannot start virtual machine after renaming it error "unsupported migration cookie feature memory-hotplug" is reported despite migration working Cannot PXE boot using VF devices "virsh domjobinfo" hangs on destination host during migration. virsh domcontrol will show different result to a inactive guest some virsh cmd get failure without set error message It's better support to delete snapshots for rbd volume Unable to set permission when a volume is created in root squash netfs pool Actual downtime - Sometimes libvirt doesn't report 'downtime_net' in jobStats while migrating VM/s libvirt can not start a VM with non-ACSII or long names: Invalid machine name (from systemd) Creating external disk snapshot for a guest which has two disks with the same prefix name,the disks become the same name in xml Fail to valid the guest's xml while set the graphical listen as ipv6 address which end with "::" on rhel7 Rebase libvirt to current upstream release Virsh lacks support for the scale (MiB/s OR Bytes/s) for block job bandwidth Error message misleads users when 2 or more IDE controllers are configured Live Migration dynamic cpu throttling for auto-convergence (libvirt) 59-character name-length limitation when creating VMs Libvirt incorrectly unplug the backend when host device frontent hotplug fails libvirt should forbid set current cpu is 0 in xml libvirt should forbid set 0,^0 in cpuset instead of generate a xml which have broken settings libvirt fails to unlink the image disks after creating VMs using virt-install: cannot unlink file 'FOO': Success Libvirt mishandle the internal snapshot with AHCI device Migration fails with -dname option when guest agent is specified ppc64 guests default to legacy -usb option instead of -device pci-ohci XML-RPC error : Cannot write data: Transport endpoint is not connected The size of raw image is incorect after clone without --nonsparse Set spice graphic port to '-1', the port allocated to the guest can't be used again after the guest is managedsaved or shutoff. [RFE] add support for LUKS disk encryption format driver w/ RBD, iSCSI, and qcow2 libvirt_driver_qemu.so references libvirt_driver_storage.so Set cgroup device ACLs to allow block device for NVRAM backing store [RFE] Allow specifying cpu pinning for inactive vcpus libvirt check the wrong cpu placement status when change the emulator/iothreadpin configuration virtlogd failed to open guest log file while doing migration direct interface with multiqueue enabled donesn't support hotplugging libvirt will not override a target name with prefix of 'vif' in guest's xml interface part, which do not conform to the description in libvirt.org Fail to restore vm with usb keyboard config on ppc64le Libvirt should reject to rename a domain in saved status. improve the error when undefine transient network libvirt auto remove the vcpupin config when cold-unplug vcpu libvirt report wrong error when parse vcpupin info libvirtd crashed if set vcpusched vcpus over maxvcpu cmd domstats cause libvirtd memleak active virtual network based on linux bridge will becase inactive after libvirtd restart libvirt does not report PCI_HEADER_TYPE in node device XML Eject cdrom fails since tray is locked but next try succeeds vol-create-from failed for logical pool log error when <bandwidth> requested on a <interface type='hostdev'> [RFE] Report memory hotunplug failure Migrating guest with default guest agent socket path from 1.3.x to 1.2.17 failed migration from RHEL6.8 to RHEL7.3 host failed with error "Unsupported migration cookie feature persistent" when vol-create-as a volume with invalid name in a disk pool, libvirt produced error, but parted still created a partition and multipathd didn't generate symbolic link in /dev/mapper libvirt-python: rename a domain with empty string will make it disappear libvirt fails to create a macvtap deivce if an attempted name was already created by some process other than libvirt Fail to hotplug guest agent with libvirt-1.3.2-1.el7 generate bootindex even when <bootmenu enable='yes'/> is specified Hotplug of memory/rng device fails after unplugging device of the same type that is not last libvirtd crashed if destroy then start a guest which have redirdev device libvirt forget free priv->machineName when clear guest resource "virtlogd --verbose" doesn't output verbose messages The old logging way(file) is used when no qemu.conf file exists Virtlogd doesn't release client resource after guest restore from a saved file. virsh create fails if <video> element is not set in XML new NSS module for host name translation of domains managed by libvirt Migration failed when setting vnc_auto_unix_socket = 1 Update-device fail to update floppy with an unknown error guest have broken settings after use setvcpus --maximum to make vcpu number < vcpu number in numa RFE: support -acpitable disk source format is not properly set for disk type='volume' update floppy device with readonly element report cannot modify snapshot error watchdog's action moved to 'pause' automatically when start a guest with watchdog's action setting to 'dump' blkdeviotune should limit the maximum to some sensible number Guest got killed when restart libvirtd if guest has cmt event enabled but host doesn't support CMT "virsh perf $guest --enable '' " has memory leak. virsh nodecpumap --pretty shows wrong result on machine with many cores No error messages for cpu-stats with --start option. "virsh domdisplay" recognizes 0.0.0.0 as localhost libvirt is incompatible with qemu-rhev-2.6 with empty CDROM drive <vcpu max='...'/> in domacapabilities should take KVM limits into account Libvirt rejects object name starting with '.' libvirtd allows SSLv3 connections and poor ciphers Dump a guest with long domain name by watchdog failed print generic error to user if qemu fails without printing any error virDomainGetControlInfo hangs after random time with unresponsive storage Hot-plugs into root-port and downstream-port fail Libguestfs could not create appliance through libvirt on aarch64 because libvirt doesn't support dmi-to-pci-bridge (i82801b11-bridge) controller Tiny issue: PCI controller's index cannot be = bus Sometimes guest OS paused after managedsave&start. 'virsh event' can not capture disk-change events update dns settings in network by net-update will not take effect immediately RHEL Doc error about S3/S4 operations for guest Owner and SElinux context cannot be restored after hot-unplug USB Host device libvirt limits chassisNr for pci bridge to between 0 and 255, however, qemu does not support chassis_nr=0 The default value of 'max_anonymous_clients' is not correct memory section in domxml stay unchanged after memory hot-unplug SASL authentication failed to create client context when connecting to libvirt daemon some bugs in function which used to parse perf event xml element cannot pool-define/create mpath pool libvirt will enable perf event which user want disable it Enable /dev/urandom as source of entropy for virtio-rng libvirtd crashes after qemu-attach in qemuDomainPerfRestart() Memory locking is not required for non-KVM ppc64 guests lxc: when undefine a vm first, cannot destroy it successfully. "virsh blkiotune" causes libvirtd crash CVE-2016-5008 libvirt: Setting empty VNC password allows access to unauthorized users auto_dump_path setting in the qemu.conf not work cannot pool-create iscsi pool because cannot successfully login iscsi target Failed "virsh connect" return 0. The default uri should be libvirtd:///session in non-root session libvit should support set IOthread quota into cgroup libvirtd memory leak when guest has hostdev element Some environment variables don't take effect for virt-admin The uri_aliases setting in libvirt-admin.conf doesn't take effect. Service is not re-enabled when increasing max_clients limit after it has been reached. Incorrect memory virtualization in lxc driver pci-expander-bus should only connect to pci-root, and pcie-expander-bus should only connect to pcie-root Migration failed when the secondary video devices have different ram/vram sizes. the result of change-media --eject is different from the result in guest Disallow to attach upstream port to pxb-pcie if root-port is not attached to pxb-pcie SASL info is missing in the output of "virt-admin client-info" Persistent fs pool is undefined after startup fails Provide proper error messages when hot-plugging devices into a not hot-pluggable pci controller Libvirtd crashes when using vol-create-from to create a raw vol and using a qcow2 vol as source Add support to attach dmi-to-pci-bridge (i82801b11-bridge) into pxb-pcie libvirtd crashed when use virt-install to create a lxc container Regenerate docs while building downstream package CPU feature cmt not found with 2.0.0-1 virt-admin reports a message indicating success when it fails to connect some memory leak in qemuDomainAssignAddresses Screenshot does not work with qxl video model type. libvirt report unknown error when iothreadsched point to not exist iothread Core dumped when do secret-get-value Increase the queue size to the max allowed, 1024. USB address referencing a non-existent hub crashes libvirtd libvirt SIGSEGV when hot-plug a disk with luks encryption key mismatched in http protocol of json backing format The uri_default in libvirt-admin.conf doesn't take effect libvirt changes the guest xml on target host even if migration failed Use setvcpus to change maximum vcpu number will make guest have broken settings libvirt wrongly convert json to xml when attaching json glusterfs backing images Migration fails with "info migration reply was missing return status" when storage insufficient on target [ppc64] vm config with hotplugable vcpus gets broken after libvirtd restart libvirt: SCSI: hostdev / controller host-plug related fixes cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2578: pacemaker security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. The following packages have been upgraded to a newer upstream version: pacemaker (1.1.15). (BZ#1304771) Security Fix(es): * It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unauthenticated connection. A remote attacker could use this flaw to cause a denial of service. (CVE-2016-7797) Red Hat would like to thank Alain Moulle (ATOS/BULL) for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-7797 fencing adjacent node occurs even if the stonith resource is Stopped clvmd/dlm resource agent monitor action should recognize it is hung stonith_admin strips description from fence agents' metadata Pacemaker's lrmd crashes after certain systemd errors Updating a fencing device will sometimes result in it no longer being registered service pacemaker_remote stop causes node to be fenced Rebase Pacemaker for bugfixes and features Pacemaker looses shutdown requests under some conditions crmd can crash after unexpected remote connection takeover crm_report -l does not work correctly Better handling of remote nodes when generating crm_reports pengine wants to start services that should not be started pacemaker does not flush the attrd cache fully after a crm_node -R node removal Restarting a resource in a resource group on a remote node restarts other services instead Backport upstream bug systemd: Return PCMK_OCF_UNKNOWN_ERROR instead of PCMK_OCF_NOT_INSTALLED for uncertain errors on LoadUnit missing header for the resources section in the crm_mon output when called without --inactive flag pacemaker-remote rpm does not properly restart pacemaker_remote during package upgrade, potentially triggering a watchdog fence CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2579: libreoffice security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. The following packages have been upgraded to a newer upstream version: libreoffice (5.0.6.2). (BZ#1290148) Security Fix(es): * Multiple flaws were found in the Lotus Word Pro (LWP) document format parser in LibreOffice. By tricking a user into opening a specially crafted LWP document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2016-0794, CVE-2016-0795) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0794 CVE-2016-0795 [fix available]Master Slide Elements of Footer, Number, and Date are not delectable easily [fix available] Selecting multiple slides is not reflected in Print dialog [abrt] [fix-available] libreoffice-core: SfxViewFrame::GetFrame() const(): soffice.bin killed by SIGSEGV [fix available] Calc: Random Number generator can't be edited and applied for cell location [fix available] In Start Center, if you open Templates, there is no "Close" or "X" in upper right corner of Templates dialog box. [fix available] sometimes LO doesn't see cups printers [fix available] Writer fails to open correct ODT file from WebDAV share rebase to libreoffice 5.0 in RHEL 7.3 rebase libcmis to 0.5.0 rebase mdds to 0.12.1 CVE-2016-0794 CVE-2016-0795 libreoffice: Multiple out-of-bounds overflows in lwp filter [fix available] Not able to add RH Google Drive as a server cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2580: poppler security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es): * A heap-buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2015-8868) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8868 Show at least characters from PDFDocEncoding in editable forms CVE-2015-8868 poppler: heap buffer overflow in ExponentialFunction cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2581: NetworkManager security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as well as providing VPN integration with a variety of different VPN services. The following packages have been upgraded to a newer upstream version: NetworkManager (1.4.0), NetworkManager-libreswan (1.2.4), network-manager-applet (1.4.0), libnl3 (3.2.28). (BZ#1264552, BZ#1296058, BZ#1032717, BZ#1271581) Security Fix(es): * A race condition vulnerability was discovered in NetworkManager. Temporary files were created insecurely when saving or updating connection settings, which could allow local users to read connection secrets such as VPN passwords or WiFi keys. (CVE-2016-0764) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-0764 Adding bond device to bridge with "bridge-slave" type doesn't work. [enh] Configuration snapshots and rollbacks it would make sense for NM to allow specifying an order for DNS servers network-online.target met before IPv6 is up NetworkManager no longer provides complete FQDN (DHCP_HOSTNAME) to dhclient NetworkManager loops and takes CPU until it dies when teamd is unresponsive Setting up team with invalid json config leads to inconsistent state incorrect completion of bluetooth device in nmcli available bluetooth devices should be listed in connection wizard NM crashing when upping libreswan connection as secondary [abrt] NetworkManager: ipv4acd_on_timeout(): NetworkManager killed by SIGABRT NetworkManager infiniband connected mode fails with some adapters Default-route doesn't get removed when disconnecting device externally (on lost carrier, unplug cable) nm-libreswan-service abort when trying to establish vpn connection to RH intranet ipv6 address on team.vlan interface disappear sometimes Mobile broadband (WWAN) connection not detected after suspend the team connection becomes incorrect after I restart NetworkManager rebase libnl3 package to new upstream version for rhel-7.3 regression: Fails to connect to Red Hat VPN ifup network with an interface name with more than 16 characters [abrt] NetworkManager: check_if_startup_complete(): NetworkManager killed by SIGSEGV NetworkManager Bridged Team MTU Fails to Set bond profile doubling after restart with manual ipv6 (or ignore) RHEL7.2: default route for vlan devices does not get added on boot default team profile should load some default config NetworkManager ignores the REORDER_HDR flag for VLAN connections the restart of NetworkManager service disables a configured connection and creates a dynamic connection broadband PIN dialog wont appear failed to disable userspace IPv6LL address handling CVE-2016-0764 NetworkManager: Race condition allowing info leak Vlan devices do not inherit the bonding device MAC address when bonding driver is reloaded Fails to connect to ethernet after update to 1:NetworkManager-1.2.0-0.1.beta3.el7.x86_64 NM does not run pre-down scripts on suspend/sleep/hibernate NetworkManager.service never reaches its 'startup complete' state IFF MTU=9000 (ixgbe driver) [abrt] [faf] NetworkManager: unknown function(): /usr/sbin/NetworkManager killed by 11 Restarting NetworkManager causes devices to be lost from the network connections rename package NetworkManager-config-routing-rules to NetworkManager-dispatcher-routing-rules NetworkManager spec file calls rpm to determine ppp version which fails in mock builds Please consider managing /etc/resolv.conf not a symlink file completion doesn't work for libreswan import Can't press "create" button via keyboard when create network on p2v client IPv6 address not assigned to VLAN subinterface when assigned immediately after device creation NetworkManager warning/error on T460s/p during suspend double up of team leads to nmc223.6 c651] tuaps: Ne workManager[30546] trap int3 ip:7fbdd56bb643 sp:7ffc02c09b40 error:0 GCC fails when including libnl3 header cannot set lp_interval to bond balance-tlb (or alb) mode vpn dns record is not deleted when profile goes down 20 seconds timeout is not sufficient for VPN password entry [abrt] [faf] NetworkManager: g_logv(): /usr/sbin/NetworkManager killed by 5 show name if ask is specified for 802.1x connections [abrt] [faf] NetworkManager: g_logv(): /usr/sbin/NetworkManager killed by 5 Deleting a bridge with a slave attached leaves the slave with a nonexistent master [abrt] [faf] NetworkManager: unknown function(): /usr/bin/nmcli killed by 11 Hostname is 'localhost.localdomain' after distro installation The device's master is unset when downed outside NetworkManager NetworkManager log messages are missing in /tmp/syslog warn nicely about insufficient permissions when changing logging level Unable to set up mtu on bonded interface in RHEL 7.2 network team device configuration in kickstart pre section not working Failure to configure team with ifcfg after ipv4.manual and ipv4.addresses entries are added prompt gets stuck nmcli asks for ipv4 and ipv6 method even if these were specified [abrt] [faf] NetworkManager: raise(): /usr/sbin/NetworkManager killed by 6 [abrt] [faf] NetworkManager: raise(): /usr/sbin/NetworkManager killed by 5 [NetworkManager] - 'nmcli' Bond slaves remain with BOOTPRORTO=dhcp although we configured them with disabled method backport "route/addr: address attributes based on object" [anaconda ibft] ibft plugin stopped working in 7.3 due to /sbin/iscsiadm failing. fatal failure to set MAC address on wifi D-Bus signal PropertiesChanged emitted for wrong interface type incorrect team config not refused but nullified regression in libnm serializing "cloned-mac-address" which causes failure to edit property in nmtui DHCP timeout due to race condition calling nm-dhcp-helper backport fix for crash in libnm's nm_vpn_plugin_info_list_get_service_types() no tab completion in nmcli after ifname segfault when Reapplying slave connection, without changes installation of 1.4.0 NM is possible onto 7.2 but it's not working w/o newer glib2 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2582: nettle security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Security Fix(es): * Multiple flaws were found in the way nettle implemented elliptic curve scalar multiplication. These flaws could potentially introduce cryptographic weaknesses into nettle's functionality. (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805) * It was found that nettle's RSA and DSA decryption code was vulnerable to cache-related side channel attacks. An attacker could use this flaw to recover the private key from a co-located virtual-machine instance. (CVE-2016-6489) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 CVE-2016-6489 nettle: sha3 implementation does not conform to the published version CVE-2015-8803 nettle: secp256 calculation bug CVE-2015-8804 nettle: miscalculations on secp384 curve CVE-2015-8805 nettle: secp256 calculation bug CVE-2016-6489 nettle: RSA/DSA code is vulnerable to cache-timing related attacks cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2583: ntp security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es): * It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701) * An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852) * A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977) * A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978) * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194) * It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195) * It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703) * It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219) * A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974) * A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvár (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-5194 CVE-2015-5195 CVE-2015-5196 CVE-2015-5219 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7852 CVE-2015-7974 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 ntpd doesn't reset system leap status when disarming leap timer CVE-2015-5194 ntp: crash with crafted logconfig configuration command CVE-2015-5195 ntp: ntpd crash when processing config commands with statistics type CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths CVE-2015-5219 ntp: infinite loop in sntp processing crafted packet CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c CVE-2015-7701 ntp: slow memory leak in CRYPTO_ASSOC CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability CVE-2015-7974 ntp: missing key check allows impersonation between authenticated peers (VU#357792) CVE-2015-7977 ntp: restriction list NULL pointer dereference CVE-2015-7978 ntp: stack exhaustion in recursive traversal of restriction list CVE-2015-7979 ntp: off-path denial of service on authenticated broadcast mode CVE-2015-8158 ntp: potential infinite loop in ntpq cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2584: kernel-rt security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important) * Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578) Red Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Important Copyright 2016 Red Hat, Inc. CVE-2013-4312 CVE-2015-8374 CVE-2015-8543 CVE-2015-8746 CVE-2015-8812 CVE-2015-8844 CVE-2015-8845 CVE-2015-8956 CVE-2016-2053 CVE-2016-2069 CVE-2016-2117 CVE-2016-2384 CVE-2016-2847 CVE-2016-3070 CVE-2016-3156 CVE-2016-3699 CVE-2016-3841 CVE-2016-4569 CVE-2016-4578 CVE-2016-4581 CVE-2016-4794 CVE-2016-5829 CVE-2016-6136 CVE-2016-6198 CVE-2016-6327 CVE-2016-6480 evaluate realtime performance implications of turning on CONFIG_CGROUP_SCHED in realtime kernel kernel-rt: update to the RHEL7.2.z batch 2 source tree [kernel-rt] update kernel-rt to match RHEL-7.3 source tree CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference rt: netpoll: live lock with NAPI polling and busy polling on realtime kernel CVE-2015-8746 kernel: when NFSv4 migration is executed, kernel oops occurs at NFS client CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted CVE-2016-2053 kernel: Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature() CVE-2016-2069 kernel: race condition in the TLB flush logic CVE-2015-8812 kernel: CXGB3: Logic bug in return code handling prematurely frees key structures causing Use after free or kernel panic. backport of: "softirq: split timer softirqs out of ksoftirqd" kernel-rt: update to the RHEL7.2.z batch#3 source tree CVE-2016-2384 kernel: double-free in usb-audio triggered by invalid USB descriptor CVE-2016-3070 kernel: Null pointer dereference in trace_writeback_dirty_page() CVE-2016-2117 kernel: Kernel memory leakage to ethernet frames due to buffer overflow in ethernet drivers CVE-2016-2847 kernel: pipe: limit the per-user amount of pages allocated in pipes CVE-2016-3156 kernel: ipv4: denial of service when destroying a network interface kernel-rt: update to the RHEL7.2.z batch#4 source tree divide by zero leads to host reboot deadlock in fscache code (merge error) CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific registers from userspace RFE: Enable can-dev module CVE-2016-3699 kernel: ACPI table override allowed when securelevel is enabled rt: fix idle_balance iterating over all CPUs if a runnable task shows up partway through kernel-rt: update to the RHEL7.2.z batch#5 source tree rt: Use IPI to trigger RT task push migration instead of pulling CVE-2016-4581 kernel: Slave being first propagated copy causes oops in propagate_mnt CVE-2016-4569 kernel: Information leak in Linux sound module in timer.c CVE-2016-4578 kernel: Information leak in events in timer.c CVE-2016-4794 kernel: Use after free in array_map_alloc softlockups correlating to "qbrXXXXXXX: hw csum failure" and failed checksumming backport of the latest "printk: Make rt aware" from PREEMPT-RT kernel-rt: update to the RHEL7.2.z batch#6 source tree turn CONFIG_RCU_NOCB_CPU_ALL=y off CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command CVE-2016-6198 kernel: vfs: missing detection of hardlinks in vfs_rename() on overlayfs CVE-2016-6480 kernel: scsi: aacraid: double fetch in ioctl_send_fib() CVE-2016-3841 kernel: use-after-free via crafted IPV6 sendmsg for raw / tcp / udp / l2tp sockets. kernel-rt: update to the RHEL7.2.z batch#7 source tree CVE-2015-8956 kernel: NULL dereference in RFCOMM bind callback cpe:/a:redhat:rhel_extras_rt:7 RHSA-2016:2585: qemu-kvm security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es): * An integer overflow flaw and an out-of-bounds read flaw were found in the way QEMU's VGA emulator set certain VGA registers while in VBE mode. A privileged guest user could use this flaw to crash the QEMU process instance. (CVE-2016-3712) * An infinite loop flaw was found in the way QEMU's e1000 NIC emulation implementation processed data using transmit or receive descriptors under certain conditions. A privileged user inside a guest could use this flaw to crash the QEMU instance. (CVE-2016-1981) Red Hat would like to thank Zuozhi Fzz (Alibaba Inc.) for reporting CVE-2016-3712. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-1981 CVE-2016-3712 Libvirt is confused that qemu-kvm exposes 'block-job-cancel' but not 'block-stream' Guest using rbd based image as disk failed to start when sandbox was enabled [RHEL-7.2-qmu-kvm] Package is 100% lost when ping from host to Win2012r2 guest with 64000 size "CapsLock" will work as "\" when boot a guest with usb-kbd contents of MSR_TSC_AUX are not migrated posix_fallocate emulation on NFS fails with Bad file descriptor if fd is opened O_WRONLY Camera stops work after remote-viewer re-connection [qemu-kvm] Vlan table display repeat four times in qmp when queues=4 qemu-kvm build failure race condition in tests/ide-test Crash on QMP input exceeding limits ceph.conf properties override qemu's command-line properties [abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT CVE-2016-1981 Qemu: net: e1000 infinite loop in start_xmit and e1000_receive_iov routines qemu-img created VMDK images lead to "Not a supported disk format (sparse VMDK version too old)" qemu-img created VMDK images are unbootable "qemu-kvm: /builddir/build/BUILD/qemu-1.5.3/hw/scsi/virtio-scsi.c:533: virtio_scsi_push_event: Assertion `event == 0' failed" after hotplug 20 virtio-scsi disks then hotunplug them CVE-2016-3712 qemu-kvm: Out-of-bounds read when creating weird vga screen surface match the OEM ID and OEM Table ID fields of the FADT and the RSDT to those of the SLIC qemu-kvm doesn't reload udev rules before triggering for kvm device Ship FD connection patches qemu-kvm part qemu: accel=tcg does not implement SSE 4 properly Regression from CVE-2016-3712: windows installer fails to start [rhel-7.3] symbol lookup error: /usr/libexec/qemu-kvm: undefined symbol: libusb_get_port_numbers spice-gtk shows outdated screen state after migration [qemu-kvm] GLib-WARNING **: gmem.c:482: custom memory allocation vtable not supported QEMU crash when guest notifies non-existent virtqueue Flags xsaveopt xsavec xgetbv1 are missing on qemu-kvm RHSA-2016-1756 breaks migration of instances cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2586: python security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * A vulnerability was discovered in Python, in the built-in zipimporter. A specially crafted zip file placed in a module path such that it would be loaded by a later "import" statement could cause a heap overflow, leading to arbitrary code execution. (CVE-2016-5636) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-5636 man page contains $Date$ instead of actual date Python 2.7 installation is not 64 bit clean /etc/tmpfiles.d/python.conf shipped when /etc/tmpfiles.d is reserved for the local administrator python-2.7.5-34 breaks hashlib (md4) I'm hit by Python bug #11489, could the fix be backported? Upstream tests cause building python package on brew stall and leave orphan processes that need manually kill Python brew builds fail for RHEL 7.3 Update to the most recent version of PEP493 Segmentation fault in sslwrap function CVE-2016-5636 python: Heap overflow in zipimporter module cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2587: wget security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix(es): * It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971) Red Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-4971 -nv documented as synonymous to both --no-verbose and --report-speed CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2588: openssh security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es): * It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-8325 sshd -T does not output authenticationmethods with default value systemctl restart/start sshd shows no error if start fails remove GLOB_LIMIT_STAT from OpenSSH rhpkg prep fails on rhel-7.3 branch CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes OpenSSH only looks for .k5login in user directory sftp -m modifies umask and breaks permissions on new directories ssh-copy-id not working when custom loglevel is quiet guest_t can run sudo openssh can't be installed without selinux-policy cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2589: gimp security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. The following packages have been upgraded to a newer upstream version: gimp (2.8.16), gimp-help (2.8.2). (BZ#1298226, BZ#1370595) Security Fix(es): * Multiple use-after-free vulnerabilities were found in GIMP in the channel and layer properties parsing process when loading XCF files. An attacker could create a specially crafted XCF file which could cause GIMP to crash. (CVE-2016-4994) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-4994 rebase the gimp to the latest stable release CVE-2016-4994 gimp: Use-after-free vulnerabilities in the channel and layer properties parsing process Rebase gimp-help to current upstream/Fedora version 2.8.2 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2590: dhcp security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Security Fix(es): * A resource-consumption flaw was discovered in the DHCP server. dhcpd did not restrict the number of open connections to OMAPI and failover ports. A remote attacker able to establish TCP connections to one of these ports could use this flaw to cause dhcpd to exit unexpectedly, stop responding requests, or exhaust system sockets (denial of service). (CVE-2016-2774) Red Hat would like to thank ISC for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-2774 CVE-2016-2774 dhcp: unclosed TCP connections to OMAPI or failover ports can cause DoS cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2591: krb5 security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es): * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a null pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-3119 CVE-2016-3120 kadmin.local -q with wrong value in -e option doesn't return nonzero return code RFE: Kerberos should support dropping configuration snippets to /etc/ and /usr krb5-server requires systemd-sysv when it shouldn't need to ksu asks for password even if called by root krb5kdc.log file is world-readable on IPA Remove krb5-server dependency on initscripts unless it is needed Please backport fix for interposer Update krb5 spec file with changes made in fedora Rebase krb5 to 1.14.x Chrome crash in spnego_gss_inquire_context() [backport] Fix some uses of installed files in the test suite krb5 selinux patch leaks memory Skip unnecessary mech calls in gss_inquire_cred CVE-2016-3119 krb5: null pointer dereference in kadmin otp module incorrectly overwrites as_key Incorrect length calculation in libkrad CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted ssh login permission denied when ldap/krb5 is enabled via authconfig MS-KKDCP with TLS SNI requires HTTP Host header cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2592: subscription-manager security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic (RHN) to Red Hat Subscription Management (RHSM). The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of a Red Hat Unified Entitlement Platform. The Subscription Management tools use this interface to manage system entitlements, certificates, and access to content. The following packages have been upgraded to a newer upstream version: subscription-manager (1.17.15), python-rhsm (1.17.9), subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555, BZ#1328559) Security Fix(es): * It was found that subscription-manager set weak permissions on files in /var/lib/rhsm/, causing an information disclosure. A local, unprivileged user could use this flaw to access sensitive data that could potentially be used in a social engineering attack. (CVE-2016-4455) Red Hat would like to thank Robert Scheck for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-4455 [RFE] Network interface collection/facts do not support multiple address per interface [RFE] Separate out the rhsm certs into a separate RPM traceback on removing an import cert from 'my subs in gui' subscription-manager-initial-setup-addon - "Cancel" button does nothing exceptions from connection.RestlibException during autosubscribe should be printed to system error the red warning message in subscription-manager-initial-setup-addon should disappear when clicking Cancel/Back various RHEL7 channel maps to product certs are missing in subscription-manager-migration-data subscription-manager package profile submission is sending profiles with UUID=None to SLE endpoint Back button on first panel of subscription-manager-gui workflow has no effect Traceback in subscription-manager-gui from My Subscriptions Tab At the end of auto attach, the Back button does nothing The cmd "repos --list --proxy" with a fake proxy server url will not stop running. Stacktrace displayed when running rct against an inaccessible file Available subscriptions can not be sorted by number in subscription-manager-gui Rebase subscription-manager component to the latest upstream branch for RHEL 7.3 Rebase python-rhsm component to the latest upstream branch for RHEL 7.3 Rebase subscription-manager-migration-data component to the latest upstream branch for RHEL 7.3 subscription-manager-migration-data for RHEL7.3 needs RHEL7.3 product certs missing RHN channel mappings to ppc64le product certs for product id 279 rhel-x86_64-server-7-ost-7 channel maps are absent from channel-cert-mapping.txt Docker client doesn't link entitlements certs Rhsmcertd healinglib variable 'valid_tomorrow' referenced before assignment Initial-setup : no error message is thrown when user clicks on register button without entering credentials "Default" server url is not configuring the port and prefix details Traceback on the terminal when used CTRL+C to kill the subscription-manager-gui application rhel-x86_64-server-7-rhevh channel maps are absent from channel-cert-mapping.txt Subscription-manager-gui's combo "Service level preferences" does not change it's name if some value is choosen from AT-SPI perspective Subscription-manager-gui's combo "Release version" does not change it's name if some value is choosen from AT-SPI perspective YUM plugins reconfigure root logger Despite an "Insufficient" subscription status, the GUI is blocked from auto-subscribing by "No need to update subscriptions" message. typo in "Proxy connnection failed, please check your settings." rhsm-icon -i fails with libnotify-CRITICAL and GLib-GObject-CRITICAL errors [RFE] Update the 'rct' command to expose the virt_limit attribute to determine if virt-who is needed for the deployment. [RFE] Update the 'rct' command to allow not outputting content-set data Zanata translations for subscription-manager 1.17 are not 100% CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/ unbound method endheaders() must be called with HTTPSConnection instance as first argument (got RhsmProxyHTTPSConnection instance instead) [RFE] Allow users to set socket timeout. rhel-x86_64-server-7-ost-8 channel maps are absent from channel-cert-mapping.txt rhel-x86_64-server-7-rh-gluster-3-client channel maps are absent from channel-cert-mapping.txt RHN RHEL Channels 'rhel-x86_64-<VARIANT>-7-thirdparty-oracle-java' map to a '7.2' version cert; should be '7.3' RHN RHEL Channels 'rhel-x86_64-<VARIANT>-7-thirdparty-oracle-java-beta' map to a '7.2' version cert; should be '7.3 Beta' [ERROR] subscription-manager:31276 @dbus_interface.py:60 - org.freedesktop.DBus.Python.OSError: Traceback AttributeError: 'Identity' object has no attribute 'keypath' rhel-s390x-server-ha-7-beta channel maps are absent from channel-cert-mapping.txt rhel-s390x-server-rs-7-beta channel maps are absent from channel-cert-mapping.txt Clients unable to access newly released content (Satellite 6.2 GA) default_log_level in rhsm.conf should be INFO to honor bug 1266935 man page for rhsm.conf is missing info on new [logging] section subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers/<UUID>/certificates?lazy_regen=true returned status 404 RHN Channel mapping file '/usr/share/rhsm/product/RHEL-7/channel-cert-mapping.txt' does NOT account for RHN base channel 'rhel-ppc64le-server-7' failed to use host entitlement in containers 'Resource not found on the server' when running 'subscription-manager refresh' an empty error dialog message can appear in subscription-manager-gui when the server response message contains a pair of < > rct cat-manifest is not bash-completing new option --no-content checking "Manually attach subscriptions after registration" hangs the initial-setup screen in "registering" state for ever cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2593: sudo security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es): * It was discovered that the default sudo configuration preserved the value of INPUTRC from the user's environment, which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo. (CVE-2016-7091) Note: With this update, INPUTRC was removed from the env_keep list in /etc/sudoers to avoid having sudo preserve the value of this variable when invoking privileged commands. Red Hat would like to thank Grisha Levit for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-7091 default requiretty is problematic and breaks valid usage visudo accept non valid content sudo - cmnd_no_wait can cause child processes to ignore SIGPIPE sudo option mail_no_user doesn't work CVE-2016-7091 sudo: Possible info leak via INPUTRC [RHEL7] visudo ignores -q flag cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2594: 389-ds-base security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base (1.3.5.10). (BZ#1270020) Security Fix(es): * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. (CVE-2016-5416) * An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992) * It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. (CVE-2016-5405) The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-4992 CVE-2016-5405 CVE-2016-5416 [RFE] Default password syntax settings don't work with fine-grained policies [RFE] Enhance password change tracking [RFE] The dirsrv user/group should be created in rpm %pre, and ideally with fixed uid/gid search, matching rules and filter error "unsupported type 0xA9" substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) [RFE] Add a utility to get the status of Directory Server instances Add PIDFile option to systemd service file nsslapd-maxbersize should be ignored in replication 389-ds-base: ldclt-bin killed by SIGSEGV No validation check for the value for nsslapd-db-locks. No man page entry for - option '-u' of dbgen.pl for adding group entries with uniquemembers db2index creates index entry from deleted records /usr/lib64/dirsrv/libnunc-stans.so is owned by both -libs and -devel total update request must not be lost dna plugin needs to handle binddn groups for authorization Add config setting to MemberOf Plugin to add required objectclass got memberOf attribute Linked Attributes plug-in - wrong behaviour when adding valid and broken links Linked Attributes plug-in - won't update links after MODRDN operation pagedresults - when timed out, search results could have been already freed. ds-logpipe.py with wrong arguments - python exception in the output Rebase 389-ds-base to 1.3.5 in RHEL-7.3 nunc-stans: Attempt to release connection that is not acquired crash in Managed Entry plugin [RFE] Improve timestamp resolution in logs Deadlock between two MODs on the same entry between entry cache and backend lock deadlock in mep delete post op [RFE] add setup-ds.pl option to disable instance specific scripts SimplePagedResults -- abandon could happen between the abandon check and sending results Share nsslapd-threadnumber in the case nunc-stans is enabled, as well. deadlock on connection mutex Cannot upgrade a consumer to supplier in a multimaster environment acl - regression - trailing ', (comma)' in macro matched value is not removed. setup-ds should detect if port is already defined many attrlist_replace errors in connection with cleanallruv proxyauth support does not work when bound as directory manager [RFE] Support for rfc3673 '+' to return operational attributes With exhausted range, part of DNA shared configuration is deleted after server restart SimplePagedResults -- in the search error case, simple paged results slot was not released. The 'eq' index does not get updated properly when deleting and re-adding attributes in the same ldapmodify operation ldclt - segmentation fault error while binding logconv.pl displays negative operation speeds Crash in slapi_get_object_extension heap corruption at schema replication. Import readNSState.py from RichM's repo "stale" automember rule (associated to a removed group) causes discrepancies in the database keep alive entries can break replication Supplier can skip a failing update, although it should retry. dirsrv service fails to start when nsslapd-listenhost is configured change severity of some messages related to "keep alive" entries moving an entry cause next on-line init to skip entry has no parent, ending at line 0 of file "(bulk import)" License tag does not match actual license of code search returns no entry when OR filter component contains non readable attribute dirsrv service doesn't ask for pin when pin.txt is missing syncrepl search returning error 329; plugin sending a bad error code ldctl should support -H with ldap uris no plugin calls in tombstone purging add nsslapd-auditlog-logging-enabled: off to template-dse.ldif If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged. DES to AES password conversion fails if a backend is empty Replication changelog can incorrectly skip over updates Page result search should return empty cookie if there is no returned entry db2index uses a buffer size derived from dbcachesize objectclass values could be dropped on the consumer 389-ds-base-1.3.4.0-29.el7_2 "hang" Paged results search returns the blank list of entries ns-accountstatus.pl gives error message on execution along with results. password history is not updated when an admin resets the password (389-ds-base-1.3.5) Fixing coverity issues. Enable DS to offer weaker DH params in NSS db2ldif is not taking into account multiple suffixes or backends Modifier's name is not recorded in the audit log with modrdn and moddn operations Server ram sanity checks work in isolation Wrong result code display in audit-failure log Running db2index with no options breaks replication At startup DES to AES password conversion causes timeout in start script [RFE] adding pre/post extop ability CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation CVE-2016-5416 389-ds-base: ACI readable by anonymous user Improve MMR replication convergence Values of dbcachetries/dbcachehits in cn=monitor could overflow. ns-slapd shutdown crashes if pwdstorageschema name is from stack. Setup-ds.pl --update fails DS shuts down automatically if dnaThreshold is set to 0 in a MMR setup If a cipher is disabled, do not attempt to look it up Upgrade to 389-ds-base >= 1.3.5.5 doesn't install 389-ds-base-snmp flow control in replication also blocks receiving results nunc-stans: ns-slapd crashes during startup with SIGILL on AMD Opteron 280 Fixup tombstone task needs to set proper flag when updating tombstones CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack remove-ds.pl deletes an instance even if wrong prefix was specified nsslapd-workingdir is empty when ns-slapd is started by systemd When fine-grained policy is applied, a sub-tree has a priority over a user while changing password Duplicate collation entries Change example in /etc/sysconfig/dirsrv to use tcmalloc Crash in import_wait_for_space_in_fifo(). man page of ns-accountstatus.pl shows redundant entries for -p port option passwordMinAge attribute doesn't limit the minimum age of the password cleanallruv changelog cleaning incorrectly impacts all backends set proper update status to replication agreement in case of failure Server Side Sorting crashes the server. Disabling CLEAR password storage scheme will crash server when setting a password cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2595: mariadb security and bug fix update (Important) Red Hat Enterprise Linux 7 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: mariadb (5.5.52). (BZ#1304516, BZ#1377974) Security Fix(es): * It was discovered that the MariaDB logging functionality allowed writing to MariaDB configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. (CVE-2016-6662) * A race condition was found in the way MariaDB performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. (CVE-2016-6663) * This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3492, CVE-2016-5612, CVE-2016-5616, CVE-2016-5624, CVE-2016-5626, CVE-2016-5629, CVE-2016-8283) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Important Copyright 2016 Red Hat, Inc. CVE-2016-3492 CVE-2016-5612 CVE-2016-5616 CVE-2016-5624 CVE-2016-5626 CVE-2016-5629 CVE-2016-6662 CVE-2016-6663 CVE-2016-8283 dialog.so and mysql_clear_password.so should be in mariadb-libs package /usr/lib/tmpfiles.d/mariadb.conf is overwritten when mariadb package is updated Duplicate key with auto increment non-daemon ELF binaries are compiled as PIE, but without full RELRO CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016) CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016) CVE-2016-3492 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU October 2016) CVE-2016-5612 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU October 2016) CVE-2016-5616 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU October 2016) CVE-2016-5624 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU October 2016) CVE-2016-5626 mysql: unspecified vulnerability in subcomponent: Server: GIS (CPU October 2016) CVE-2016-5629 mysql: unspecified vulnerability in subcomponent: Server: Federated (CPU October 2016) CVE-2016-8283 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU October 2016) cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2596: pcs security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a newer upstream version: pcs (0.9.152). (BZ#1299847) Security Fix(es): * A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. (CVE-2016-0720) * It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. (CVE-2016-0721) These issues were discovered by Martin Prpic (Red Hat Product Security). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0720 CVE-2016-0721 add support for utilization attributes Support for sbd configuration is needed in pcs RFE: please adjust timeouts for pcsd check (or allow to disable them) [CLI] particular help screens inconsistent in indication of default sub^n-commands pcs resource cleanup improvements pcs should allow to remove a dead node from a cluster [CLI] minor cleanups in built-in documentation [RFE] make "cluster setup --start", "cluster start" and "cluster standby" support --wait as well resource/fence agent options form needs an overhaul Specifying a non-existing id in ACL role permission produces an invalid CIB 'pcs resource delete' doesn't delete resource referenced in acl Rewrite pcsd launch script pcs Web UI doesn't indicate unmanaged resources pcs needs to be able to view status and config on nodes that are not part of any cluster, but have a cib.xml file colocation set constraints missing in web UI Cluster Properties page in web UI needs an overhaul web UI lacks ability to move resources within a resource group pcsd: deleting groups/clones from older cluster returns Internal Server Error When referencing a stonith/resource agent without a provider and the fence/resource agents fails to get metadata causes pcs to traceback pcs doesn't support putting Pacemaker Remote nodes into standby [RFE] pcs status output could be simpler when constraints are in place CVE-2016-0720 pcs: Cross-Site Request Forgery in web UI CVE-2016-0721 pcs: cookies are not invalidated upon logout pcs rebase bug for 7.3 [RFE] pcs property list/show could have a --node filter pcs property show <property> shows all node properties unfiltered Cannot create a new resource with the same name of a one failed and deleted before, until cleanup Unsanitized input in username field on login page [packaging] pcsd.service shipped twice (under different locations) Option to disable particular TLS version and ciphers with pcsd [packaging] /etc/sysconfig/pcsd is not marked as a config file Need a way to set expected votes on a live system [cli] pcs makes a disservice to CIB-accumulate-and-push use cases by not coping with "cib --config" file (recommended!) passed as "-f <file>" to cib-modifying commands Cannot recreate remote node resource [packaging] pcs should mark known (existing or not) %config files in the spec (/etc/sysconfig/pcsd, /var/lib/pcsd/tokens, ...) [GUI] Bad Request when resource removal takes longer than pcs expects [bash-completion] put it under $(pkg-config --variable=completionsdir bash-completion) to allow for dynamic loading [cli] pcs should except KeyboardInterrupt at least around raw_input builtin invocation [clufter integration] clufter is distribution-sensitive wrt. new features so pass the current one on cluster.conf/corosync.conf match and allow user's override pcs authentication command does not trigger authentication of nodes against each other [pcsd] Badly designed usage of HTML ID attributes may cause unexpected behavior with certain resource names cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2597: firewalld security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 firewalld is a firewall service daemon that provides a dynamic customizable firewall with a D-Bus interface. The following packages have been upgraded to a newer upstream version: firewalld (0.4.3.2). (BZ#1302802) Security Fix(es): * A flaw was found in the way firewalld allowed certain firewall configurations to be modified by unauthenticated users. Any locally logged in user could use this flaw to tamper or change firewall settings. (CVE-2016-5410) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5410 firewall-config should allow unspecifying zone binding for interface a rule added into IN_<zone>_allow chain with 'permanent direct' interface doesn't exist after reload RFE: add command to firewall-cmd showing details of a service firewall-cmd should support a default logging option. Add radius TCP to policy. Firewalld missing policies for imap and smtps Option '--quiet' is needed in firewall-offline-cmd command line. Error: RT_TO_PERM_FAILED: zone 'dmz' : ZONE_CONFLICT when doing --runtime-to-permanent [ALL_LANG][firewalld] Translation incomplete Firewalld DefaultZone change breaking on --reload Headless firewall-config over ssh. firewall-config missing dependencies Fails to start without ip6t_rpfilter module firewalld --new-service & malformed xml ?? xsd specification nor service daemon checks whether tags are specified more than once if they must not firewalld reporting errors in logs for failed iptables commands Rebase to the new upstream and new release firewalld - mistake in <ports> renders ports remain closed, silently. Firewalld hangs with a NIS configuration command "systemctl reload firewalld" stops firewalld Backport After=dbus.service [RFE] allow negation of icmp-blocks zone configuration field firewalld stops traffic from/to 127.0.0.1 when masquerading is enabled in default zone rich rule with destination and no element give error Add port for corosync-qnetd to high-availability service FirewallD fails to parse direct rules with a lot of destination addresses exit codes don't match error messages in firewall-cmd CVE-2016-5410 firewalld: Firewall configuration can be modified by any logged in user Print errors and warnings to stderr package sanity: downgrade path is not working firewall-cmd ipset --add-entries-from-file broken firewall-cmd crashes if /run/dbus/system_bus_socket does not exist Trying to get the description for a firewalld zone from command line throws error and prints traceback information. Load helper modules in FirewallZoneTransaction An error in the permanent direct rules will make all other direct rules using a table other than the filter table not applicable. exclude firewallctl from firewalld v0.4.3.2 update cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2598: php security and bug fix update (Moderate) Red Hat Enterprise Linux 7 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): * A flaw was found in the way certain error conditions were handled by bzread() function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. (CVE-2016-5399) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image. (CVE-2016-5766) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer. (CVE-2016-5767) * A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-5399. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5399 CVE-2016-5766 CVE-2016-5767 CVE-2016-5768 ext/openssl: default_md algo is MD5 Segfault running ZendFramework test suite (php_wddx_serialize_var) httpd segfault in php_module_shutdown when opcache loaded twice No TLS1.1 or TLS1.2 support for php curl module PHP crashes with [core:notice] [pid 3864] AH00052: child pid 95199 exit signal Segmentation fault (11) Segmentation fault while header_register_callback CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec CVE-2016-5399 php: Improper error handling in bzread() cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2599: tomcat security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928) Security Fix(es): * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 CVE-2016-3092 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar Fix the broken tomcat-jsvc service unit Mark web.xml in tomcat-admin-webapps as config file tomcat.service loads /etc/sysconfig/tomcat without shell expansion Tomcat startup ONLY options The command tomcat-digest doesn't work with RHEL 7 CVE-2015-5174 tomcat: URL Normalization issue tomcat user has non-existing default shell set Rebase tomcat to 7.0.69 or backport features CVE-2015-5351 tomcat: CSRF token leak CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet CVE-2015-5345 tomcat: directory disclosure CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() Getting NoSuchElementException while handling attributes with empty string value in tomcat 7.0.54 Add HSTS support rpm -V tomcat fails on /var/log/tomcat/catalina.out The security manager doesn't work correctly (JSPs cannot be compiled) The systemd service unit does not allow tomcat to shut down gracefully CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2600: squid security, bug fix, and enhancement update (Moderate) Red Hat Enterprise Linux 7 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a newer upstream version: squid (3.5.20). (BZ#1273942, BZ#1349775) Security Fix(es): * Incorrect boundary checks were found in the way squid handled headers in HTTP responses, which could lead to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-2569, CVE-2016-2570) * It was found that squid did not properly handle errors when failing to parse an HTTP response, possibly leading to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-2571, CVE-2016-2572) * An incorrect boundary check was found in the way squid handled the Vary header in HTTP responses, which could lead to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response. (CVE-2016-3948) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 CVE-2016-3948 IPv4 fallback is not working when connecting to a dualstack host with non-functional IPv6 should BuildRequire: g++ squid file descriptor limit hardcoded to 16384 via compile option in spec file CVE-2016-2569 CVE-2016-2570 squid: some code paths fail to check bounds in string object CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses CVE-2016-3948 squid: denial of service issue in HTTP response processing digest doesn't properly work with squid 3.3 on CentOS 7 Disable squid systemd unit start/stop timeouts cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2601: fontconfig security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. Security Fix(es): * It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Red Hat would like to thank Tobias Stoeckmann for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5384 Make alias Consolas displaying DejaVu Sans Mono CVE-2016-5384 fontconfig: Possible double free due to insufficiently validated cache files cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2602: mod_nss security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library. The following packages have been upgraded to a newer upstream version: mod_nss (1.0.14). (BZ#1299063) Security Fix(es): * A flaw was found in the way mod_nss parsed certain OpenSSL-style cipher strings. As a result, mod_nss could potentially use ciphers that were not intended to be enabled. (CVE-2016-3099) This issue was discovered by Rob Crittenden (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-3099 [RFE] Add server-side Server Name Indication (SNI) support /etc/httpd/alias/libnssckbi.so is a dangling relative symlink when /etc/httpd/alias is itself symlinked to some other directory Segmentation fault in httpd/mod_nss in the parent process while reloading via SIGHUP Rebase mod_nss to 1.0.12 release NSSProtocol is ignored when NSSFIPS is enabled. mod_nss segmentation fault when NSSCertificateDatabase does not have proper permissions CVE-2016-3099 mod_nss: Invalid handling of +CIPHER operator mod_nss sets r->user in fixup even if it was long ago changed by other module mod_nss leaks semaphores cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2603: libreswan security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN). Security Fix(es): * A traffic amplification flaw was found in the Internet Key Exchange version 1 (IKEv1) protocol. A remote attacker could use a libreswan server with IKEv1 enabled in a network traffic amplification denial of service attack against other hosts on the network by sending UDP packets with a spoofed source address to that server. (CVE-2016-5361) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5361 ipsec auto --listcrls doesn't show crls Pluto does not handle delete message from responder site in ikev1 Pluto crashes after stop when I use floating ip address Libreswan doesn't call NetworkManager helper in case of a connection error libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure ipsec whack man page discrepancies Unable to authenticate with PAM for IKEv1 XAUTH PAM xauth method does not work with pam_sss keyingtries=0 is broken - meaning it is interpreted as keyingtries=1 ipsec initnss/checknss custom directory not recognized When using SHA2 as PRF algorithm, the nonce payload is below the RFC required minimum size CVE-2016-5361 IKEv1 protocol is vulnerable to DoS amplification attack ipsec barf does not show pluto log correctly in the output ipsec pluto returns zero even if it fails ipsec.conf manpage does not contain any mention about crl-strict option libreswan needs to check additional CRLs after LDAP CRL distributionpoint fails cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2604: resteasy-base security and bug fix update (Important) Red Hat Enterprise Linux 7 RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with SerializableProvider, resulting in deserialization of potentially untrusted data. An attacker could possibly use this flaw to execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-7050) Red Hat would like to thank Mikhail Egorov (Odin) for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Important Copyright 2016 Red Hat, Inc. CVE-2016-7050 JPP.resteasy-base-resteasy-pom.pom: version failed to match the rpm version Rebuilding of resteasy-base srpm fails when java-1.8.0-openjdk is used CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2605: util-linux security, bug fix, and enhancement update (Low) Red Hat Enterprise Linux 7 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix(es): * It was found that util-linux's libblkid library did not properly handle Extended Boot Record (EBR) partitions when reading MS-DOS partition tables. An attacker with physical USB access to a protected machine could insert a storage device with a specially crafted partition table that could, for example, trigger an infinite loop in systemd-udevd, resulting in a denial of service on that machine. (CVE-2016-5011) Red Hat would like to thank Michael Gruhn for reporting this issue. Upstream acknowledges Christian Moch as the original reporter. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Low Copyright 2016 Red Hat, Inc. CVE-2016-5011 blkid shows devices as /dev/block/$MAJOR:$MINOR lack of non-ascii support mount only parses <param>=<value> lines from fstab fs_spec field available from blkid block device mount -a doesn't catch a typo in /etc/fstab and a typo in /etc/fstab can make a system not reboot properly util-linux: /bin/login does not retry getpwnam_r with larger buffers, leading to login failure lslogins crash when executed with buggy username Bash completion for more(1) handles file names with spaces incorrectly RHEL7: update audit event in hwclock [libblkid] Failed to get offset of the xfs_external_log signature [rfe] /bin/su should be improved to reduce stack use Backport blkdiscard's "-z" flag to RHEL extra quotes around UUID confuses findfs in RHEL (but not in Fedora) util-linux fails valid_pmbr() size checks if device is > 2.14TB, Device label type: dos instead of gpt Extended partition loop in MBR partition table leads to DOS CVE-2016-5011 util-linux: Extended partition loop in MBR partition table leads to DOS cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2606: postgresql security and bug fix update (Moderate) Red Hat Enterprise Linux 7 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a newer upstream version: postgresql (9.2.18). Security Fix(es): * A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code. (CVE-2016-5423) * A flaw was found in the way PostgreSQL client programs handled database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to superuser when a superuser next executes maintenance with a vulnerable client program. (CVE-2016-5424) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Heikki Linnakangas as the original reporter of CVE-2016-5423; and Nathan Bossart as the original reporter of CVE-2016-5424. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-5423 CVE-2016-5424 Postgresql won't start if user postgres is locked (/sbin/nologin). CVE-2016-5423 postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference CVE-2016-5424 postgresql: privilege escalation via crafted database and role names cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2607: powerpc-utils-python security update (Moderate) Red Hat Enterprise Linux 7 The powerpc-utils-python packages provide Python-based utilities for maintaining and servicing PowerPC systems. Security Fix(es): * It was found that the amsvis command of the powerpc-utils-python package did not verify unpickled data before processing it. This could allow an attacker who can connect to an amsvis server process (or cause an amsvis client process to connect to them) to execute arbitrary code as the user running the amsvis process. (CVE-2014-8165) This issue was discovered by Dhiru Kholia of Red Hat Product Security. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Moderate Copyright 2016 Red Hat, Inc. CVE-2014-8165 CVE-2014-8165 powerpc-utils-python: arbitrary code execution due to unpickling untrusted input cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2610: systemd security and bug fix update (Moderate) Red Hat Enterprise Linux 7 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * A flaw was found in the way systemd handled empty notification messages. A local attacker could use this flaw to make systemd freeze its execution, preventing further management of system services, system shutdown, or zombie process collection via systemd. (CVE-2016-7795) Bug Fix(es): * Previously, the udev device manager automatically enabled all memory banks on IBM z System installations. As a consequence, hot plug memory was enabled automatically, which was incorrect. With this update, system architecture checks have been added to the udev rules to address the problem. As a result, hot plug memory is no longer automatically enabled. (BZ#1381123) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-7795 CVE-2016-7795 systemd: Assertion failure when PID 1 receives a zero-length message over notify socket systemctl show changes s390x standby memory automatically onlined after boot [rhel-7.3.z] cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2614: pacemaker security and bug fix update (Important) Red Hat Enterprise Linux 7 The Pacemaker cluster resource manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. Security Fix(es): * An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. (CVE-2016-7035) This issue was discovered by Jan "poki" Pokorny (Red Hat) and Alain Moulle (ATOS/BULL). Bug Fix(es): * The version of Pacemaker in Red Hat Enterprise Linux 7.3 incorporated an increase in the version number of the remote node protocol. Consequently, cluster nodes running Pacemaker in Red Hat Enterprise Linux 7.3 and remote nodes running earlier versions of Red Hat Enterprise Linux were not able to communicate with each other unless special precautions were taken. This update preserves the rolling upgrade capability. (BZ#1389023) Important Copyright 2016 Red Hat, Inc. CVE-2016-7035 CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication Repair rolling upgrades from 7.2 -> 7.3 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2615: bind security update (Important) Red Hat Enterprise Linux 7 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-8864 CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2658: java-1.7.0-openjdk security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es): * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. (CVE-2016-5582) * It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim's browser send HTTP requests to the JDWP port of the debugged application. (CVE-2016-5573) * It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2016-5542) Note: After this update, MD2 hash algorithm and RSA keys with less than 1024 bits are no longer allowed to be used for Jar integrity verification by default. MD5 hash algorithm is expected to be disabled by default in the future updates. A newly introduced security property jdk.jar.disabledAlgorithms can be used to control the set of disabled algorithms. * A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554) * A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. (CVE-2016-5597) Note: After this update, Basic HTTP proxy authentication can no longer be used when tunneling HTTPS connection through an HTTP proxy. Newly introduced system properties jdk.http.auth.proxying.disabledSchemes and jdk.http.auth.tunneling.disabledSchemes can be used to control which authentication schemes can be requested by an HTTP proxy when proxying HTTP and HTTPS connections respectively. Important Copyright 2016 Red Hat, Inc. CVE-2016-10165 CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2674: libgcrypt security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. Security Fix(es): * A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes. (CVE-2016-6313) Red Hat would like to thank Felix Dörre and Vladimir Klebanov for reporting this issue. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-6313 CVE-2016-6313 libgcrypt: PRNG output is predictable cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2702: policycoreutils security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The policycoreutils packages contain the core policy utilities required to manage a SELinux environment. Security Fix(es): * It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent shell, escaping the sandbox. (CVE-2016-7545) Important Copyright 2016 Red Hat, Inc. CVE-2016-7545 CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2779: nss and nss-util security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.21.3), nss-util (3.21.3). Security Fix(es): * Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834) * A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285) * It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635) Red Hat would like to thank the Mozilla project for reporting CVE-2016-2834. The CVE-2016-8635 issue was discovered by Hubert Kario (Red Hat). Upstream acknowledges Tyson Smith and Jed Davis as the original reporter of CVE-2016-2834. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 CVE-2016-2834 nss: Multiple security flaws (MFSA 2016-61) CVE-2016-5285 nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash CVE-2016-8635 nss: small-subgroups attack flaw cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2016:2780: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, André Bargull, Samuel Groß, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9064 CVE-2016-9066 CVE-2016-5296 Mozilla: Heap-buffer-overflow WRITE in rasterize_edges_1 (MFSA 2016-89, MFSA 2016-90) CVE-2016-5297 Mozilla: Incorrect argument length checking in Javascript (MFSA 2016-89, MFSA 2016-90) CVE-2016-9064 Mozilla: Addons update must verify IDs match between current and new versions (MFSA 2016-89, MFSA 2016-90) CVE-2016-9066 Mozilla: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (MFSA 2016-89, MFSA 2016-90) CVE-2016-5291 Mozilla: Same-origin policy violation using local HTML file and saved shortcut file (MFSA 2016-89, MFSA 2016-90) CVE-2016-5290 Mozilla: Memory safety bugs fixed in Firefox 45.5 (MFSA 2016-90) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2809: ipsilon security update (Important) Red Hat Enterprise Linux 7 The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers. Security Fix(es): * A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638) This issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson. Important Copyright 2016 Red Hat, Inc. CVE-2016-8638 CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2819: memcached security update (Important) Red Hat Enterprise Linux 7 memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es): * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706) Important Copyright 2016 Red Hat, Inc. CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 CVE-2016-8704 memcached: Server append/prepend remote code execution CVE-2016-8705 memcached: Server update remote code execution CVE-2016-8706 memcached: SASL authentication remote code execution cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2824: expat security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Expat is a C library for parsing XML documents. Security Fix(es): * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-0718) Red Hat would like to thank Gustavo Grieco for reporting this issue. Moderate Copyright 2016 Red Hat, Inc. CVE-2016-0718 CVE-2016-0718 expat: Out-of-bounds heap read on crafted input causing crash cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2825: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.0 Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-5290) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-5290 CVE-2016-5290 Mozilla: Memory safety bugs fixed in Firefox 45.5 (MFSA 2016-90) cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2843: firefox security update (Critical) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix(es): * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-9079) Red Hat would like to thank the Mozilla project for reporting this issue. Critical Copyright 2016 Red Hat, Inc. CVE-2016-9079 CVE-2016-9079 Mozilla: Firefox SVG Animation Remote Code Execution (MFSA 2016-92) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2850: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.1. Security Fix(es): * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-9079) Red Hat would like to thank the Mozilla project for reporting this issue. Important Copyright 2016 Red Hat, Inc. CVE-2016-9079 CVE-2016-9079 Mozilla: Firefox SVG Animation Remote Code Execution (MFSA 2016-92) cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2016:2872: sudo security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es): * It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system(), popen(), or wordexp() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use these flaws to execute arbitrary commands with elevated privileges. (CVE-2016-7032, CVE-2016-7076) These issues were discovered by Florian Weimer (Red Hat). Moderate Copyright 2016 Red Hat, Inc. CVE-2016-7032 CVE-2016-7076 CVE-2016-7032 sudo: noexec bypass via system() and popen() CVE-2016-7076 sudo: noexec bypass via wordexp() cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2946: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-9893, CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9904, CVE-2016-9905) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Philipp, Wladimir Palant, Nils, Jann Horn, Aral, Andrew Krasichkov, insertscript, Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky as the original reporters. Critical Copyright 2016 Red Hat, Inc. CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904 CVE-2016-9905 CVE-2016-9899 Mozilla: Use-after-free while manipulating DOM events and audio elements (MFSA 2016-94, MFSA 2016-95) CVE-2016-9895 Mozilla: CSP bypass using marquee tag (MFSA 2016-94, MFSA 2016-95) CVE-2016-9897 Mozilla: Memory corruption in libGLES (MFSA 2016-94, MFSA 2016-95) CVE-2016-9898 Mozilla: Use-after-free in Editor while manipulating DOM subtrees (MFSA 2016-94, MFSA 2016-95) CVE-2016-9900 Mozilla: Restricted external resources can be loaded by SVG images through data URLs (MFSA 2016-94, MFSA 2016-95) CVE-2016-9904 Mozilla: Cross-origin information leak in shared atoms (MFSA 2016-94, MFSA 2016-95) CVE-2016-9905 Mozilla: Crash in EnumerateSubDocuments (MFSA 2016-94, MFSA 2016-95) CVE-2016-9893 Mozilla: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 (MFSA 2016-95) CVE-2016-9901 Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95) CVE-2016-9902 Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2972: vim security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim. (CVE-2016-1248) Moderate Copyright 2016 Red Hat, Inc. CVE-2016-1248 CVE-2016-1248 vim: Lack of validation of values for few options results in code exection cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2016:2973: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.6.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-9893, CVE-2016-9899, CVE-2016-9895, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9905) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Wladimir Palant, Philipp, Andrew Krasichkov, insertscript, Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky as the original reporters. Important Copyright 2016 Red Hat, Inc. CVE-2016-9893 CVE-2016-9895 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9905 CVE-2016-9899 Mozilla: Use-after-free while manipulating DOM events and audio elements (MFSA 2016-94, MFSA 2016-95) CVE-2016-9895 Mozilla: CSP bypass using marquee tag (MFSA 2016-94, MFSA 2016-95) CVE-2016-9900 Mozilla: Restricted external resources can be loaded by SVG images through data URLs (MFSA 2016-94, MFSA 2016-95) CVE-2016-9905 Mozilla: Crash in EnumerateSubDocuments (MFSA 2016-94, MFSA 2016-95) CVE-2016-9893 Mozilla: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 (MFSA 2016-95) CVE-2016-9901 Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95) CVE-2016-9902 Mozilla: Pocket extension does not validate the origin of events (MFSA 2016-94, MFSA 2016-95) cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0001: ipa security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * It was discovered that the default IdM password policies that lock out accounts after a certain number of failed login attempts were also applied to host and service accounts. A remote unauthenticated user could use this flaw to cause a denial of service attack against kerberized services. (CVE-2016-7030) * It was found that IdM's certprofile-mod command did not properly check the user's permissions while modifying certificate profiles. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks. (CVE-2016-9575) The CVE-2016-7030 issue was discovered by Petr Spacek (Red Hat) and the CVE-2016-9575 issue was discovered by Liam Campbell (Red Hat). Moderate Copyright 2017 Red Hat, Inc. CVE-2016-7030 CVE-2016-9575 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0013: ghostscript security update (Moderate) Red Hat Enterprise Linux 7 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es): * It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target. (CVE-2013-5653, CVE-2016-7977) * It was found that the ghostscript function .setdevice suffered a use-after-free vulnerability due to an incorrect reference count. A specially crafted postscript document could trigger code execution in the context of the gs process. (CVE-2016-7978) * It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process. (CVE-2016-7979) * It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process. (CVE-2016-8602) Moderate Copyright 2017 Red Hat, Inc. CVE-2013-5653 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 CVE-2016-8602 CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER CVE-2016-7978 ghostscript: reference leak in .setdevice allows use-after-free and remote code execution CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution CVE-2016-8602 ghostscript: check for sufficient params in .sethalftone5 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0018: gstreamer-plugins-bad-free security update (Moderate) Red Hat Enterprise Linux 7 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): * An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9445) * A memory corruption flaw was found in GStreamer's Nintendo NSF music file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9447) * An out-of-bounds heap read flaw was found in GStreamer's H.264 parser. A remote attacker could use this flaw to cause an application using GStreamer to crash. (CVE-2016-9809) Note: This update removes the vulnerable Nintendo NSF plug-in. Moderate Copyright 2017 Red Hat, Inc. CVE-2016-9445 CVE-2016-9447 CVE-2016-9809 CVE-2016-9447 gstreamer-plugins-bad-free: Memory corruption flaw in NSF decoder CVE-2016-9445 gstreamer-plugins-bad-free: Integer overflow when allocating render buffer in VMnc decoder CVE-2016-9809 gstreamer-plugins-bad-free: Off-by-one read in gst_h264_parse_set_caps cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0019: gstreamer-plugins-good security update (Moderate) Red Hat Enterprise Linux 7 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es): * Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808) * An invalid memory read access flaw was found in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash. (CVE-2016-9807) Note: This update removes the vulnerable FLC/FLI/FLX plug-in. Moderate Copyright 2017 Red Hat, Inc. CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder CVE-2016-9807 gstreamer-plugins-good: Invalid memory read in flx_decode_chunks cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0020: gstreamer1-plugins-good security update (Moderate) Red Hat Enterprise Linux 7 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix(es): * Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808) * An invalid memory read access flaw was found in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash. (CVE-2016-9807) Note: This update removes the vulnerable FLC/FLI/FLX plug-in. Moderate Copyright 2017 Red Hat, Inc. CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder CVE-2016-9807 gstreamer-plugins-good: Invalid memory read in flx_decode_chunks cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0021: gstreamer1-plugins-bad-free security update (Moderate) Red Hat Enterprise Linux 7 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): * An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9445) * Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS plug-ins. A remote attacker could use these flaws to cause an application using GStreamer to crash. (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813) Moderate Copyright 2017 Red Hat, Inc. CVE-2016-9445 CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 CVE-2016-9445 gstreamer-plugins-bad-free: Integer overflow when allocating render buffer in VMnc decoder CVE-2016-9809 gstreamer-plugins-bad-free: Off-by-one read in gst_h264_parse_set_caps CVE-2016-9812 gstreamer1-plugins-bad-free: Out-of-bounds read in gst_mpegts_section_new CVE-2016-9813 gstreamer-plugins-bad-free: NULL pointer dereference in mpegts parser cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0061: java-1.6.0-openjdk security update (Important) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Security Fix(es): * It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. (CVE-2016-5582) * It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim's browser send HTTP requests to the JDWP port of the debugged application. (CVE-2016-5573) * It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2016-5542) Note: After this update, MD2 hash algorithm and RSA keys with less than 1024 bits are no longer allowed to be used for Jar integrity verification by default. MD5 hash algorithm is expected to be disabled by default in the future updates. A newly introduced security property jdk.jar.disabledAlgorithms can be used to control the set of disabled algorithms. * A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554) * A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. (CVE-2016-5597) Note: After this update, Basic HTTP proxy authentication can no longer be used when tunneling HTTPS connection through an HTTP proxy. Newly introduced system properties jdk.http.auth.proxying.disabledSchemes and jdk.http.auth.tunneling.disabledSchemes can be used to control which authentication schemes can be requested by an HTTP proxy when proxying HTTP and HTTPS connections respectively. Important Copyright 2017 Red Hat, Inc. CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 RHSA-2017:0062: bind security update (Important) Red Hat Enterprise Linux 7 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND processed a response to an ANY query. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9131) * A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9147) * A denial of service flaw was found in the way BIND handled an unusually-formed DS record response. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9444) Red Hat would like to thank ISC for reporting these issues. Important Copyright 2017 Red Hat, Inc. CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2016-9131 bind: assertion failure while processing response to an ANY query CVE-2016-9147 bind: assertion failure while handling a query response containing inconsistent DNSSEC information CVE-2016-9444 bind: assertion failure while handling an unusually-formed DS record response cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0083: qemu-kvm security and bug fix update (Low) Red Hat Enterprise Linux 7 Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix(es): * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). (CVE-2016-2857) Red Hat would like to thank Ling Liu (Qihoo 360 Inc.) for reporting this issue. Bug Fix(es): * Previously, rebooting a guest virtual machine more than 128 times in a short period of time caused the guest to shut down instead of rebooting, because the virtqueue was not cleaned properly. This update ensures that the virtqueue is cleaned more reliably, which prevents the described problem from occurring. (BZ#1393484) Low Copyright 2017 Red Hat, Inc. CVE-2016-2857 CVE-2016-2857 Qemu: net: out of bounds read in net_checksum_calculate() cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0086: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed to the related Knowledge Article: https://access.redhat.com/articles/2857831. Security Fix(es): * A use-after-free vulnerability was found in the kernel's socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function. (CVE-2016-7117, Important) * A use-after-free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection. (CVE-2016-6828, Moderate) * A flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash. (CVE-2016-9555, Moderate) Bug Fix(es): * Previously, the performance of Internet Protocol over InfiniBand (IPoIB) was suboptimal due to a conflict of IPoIB with the Generic Receive Offload (GRO) infrastructure. With this update, the data cached by the IPoIB driver has been moved from a control block into the IPoIB hard header, thus avoiding the GRO problem and the corruption of IPoIB address information. As a result, the performance of IPoIB has been improved. (BZ#1390668) * Previously, when a virtual machine (VM) with PCI-Passthrough interfaces was recreated, a race condition between the eventfd daemon and the virqfd daemon occurred. Consequently, the operating system rebooted. This update fixes the race condition. As a result, the operating system no longer reboots in the described situation. (BZ#1391611) * Previously, a packet loss occurred when the team driver in round-robin mode was sending a large number of packets. This update fixes counting of the packets in the round-robin runner of the team driver, and the packet loss no longer occurs in the described situation. (BZ#1392023) * Previously, the virtual network devices contained in the deleted namespace could be deleted in any order. If the loopback device was not deleted as the last item, other netns devices, such as vxlan devices, could end up with dangling references to the loopback device. Consequently, deleting a network namespace (netns) occasionally ended by a kernel oops. With this update, the underlying source code has been fixed to ensure the correct order when deleting the virtual network devices on netns deletion. As a result, the kernel oops no longer occurs under the described circumstances. (BZ#1392024) * Previously, a Kabylake system with a Sunrise Point Platform Controller Hub (PCH) with a PCI device ID of 0xA149 showed the following warning messages during the boot: "Unknown Intel PCH (0xa149) detected." "Warning: Intel Kabylake processor with unknown PCH - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware." The messages were shown because this PCH was not properly recognized. With this update, the problem has been fixed, and the operating system now boots without displaying the warning messages. (BZ#1392033) * Previously, the operating system occasionally became unresponsive after a long run. This was caused by a race condition between the try_to_wake_up() function and a woken up task in the core scheduler. With this update, the race condition has been fixed, and the operating system no longer locks up in the described scenario. (BZ#1393719) Important Copyright 2017 Red Hat, Inc. CVE-2016-6828 CVE-2016-7117 CVE-2016-9555 CVE-2016-6828 kernel: Use after free in tcp_xmit_retransmit_queue CVE-2016-7117 kernel: Use-after-free in the recvmmsg exit path CVE-2016-9555 kernel: Slab out-of-bounds access in sctp_sf_ootb() cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0091: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * A use-after-free vulnerability was found in the kernel's socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function. (CVE-2016-7117, Important) * A use-after-free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection. (CVE-2016-6828, Moderate) * A flaw was found in the Linux kernel's implementation of sctp protocol in which a remote attacker can trigger an out of bounds read with an offset of up to 64kB. This may panic the machine with a page-fault. (CVE-2016-9555, Moderate) Bug Fix(es): * The kernel-rt packages have been upgraded to the 3.10.0-514.6.1 source tree, which provides a number of bug fixes over the previous version. (BZ#1401863) * Previously, the device mapper (DM) subsystem was not notified that the real-time kernel changes the way preemption works with spinlocks. This caused a kernel panic when the dm-multipath kernel module was loaded because the interrupt request (IRQ) check was invalid on the real-time kernel. This check has been corrected enabling the system to boot correctly with the dm-multipath module enabled. (BZ#1400930) * Unlike the standard Linux kernel, the real-time kernel does not disable interrupts inside the Interrupt Service Routines driver. Because of this difference, a New API (NAPI) function for turning interrupt requests (IRQ) off was actually being called with IRQs enabled. Consequently, the NAPI poll list was being corrupted, causing improper networking card operation and potential kernel hangs. With this update, the NAPI function has been corrected to force modifications of the poll list to be protected allowing proper operation of the networking card drivers. (BZ#1402837) Important Copyright 2017 Red Hat, Inc. CVE-2016-6828 CVE-2016-7117 CVE-2016-9555 CVE-2016-6828 kernel: Use after free in tcp_xmit_retransmit_queue CVE-2016-7117 kernel: Use-after-free in the recvmmsg exit path CVE-2016-9555 kernel: Slab out-of-bounds access in sctp_sf_ootb() RT kernel panics with dm-multipath enabled kernel-rt: update to the RHEL7.3.z batch#2 source tree cpe:/a:redhat:rhel_extras_rt:7 RHSA-2017:0180: java-1.8.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Critical Copyright 2017 Red Hat, Inc. CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289 CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104) CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0182: squid security update (Moderate) Red Hat Enterprise Linux 7 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a specially crafted request to an HTTP server via the squid proxy and steal private data from other connections. (CVE-2016-10002) Moderate Copyright 2017 Red Hat, Inc. CVE-2016-10002 CVE-2016-10002 squid: Information disclosure in HTTP request processing cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0190: firefox security update (Critical) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jann Horn, Filipe Gomes, Muneaki Nishimura, Nils, Armin Razmjou, Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom Schuster, Oriol, Rh0, Nicolas Grégoire, and Jerri Rice as the original reporters. Critical Copyright 2017 Red Hat, Inc. CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 CVE-2017-5396 CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01) CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02) CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02) CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02) CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02) CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02) CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02) CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02) CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02) cpe:/o:redhat:enterprise_linux:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0225: libtiff security update (Moderate) Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2016-9533, CVE-2016-9534, CVE-2016-9535) * Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870, CVE-2016-5652, CVE-2016-9540, CVE-2016-9537, CVE-2016-9536) Moderate Copyright 2017 Red Hat, Inc. CVE-2015-8870 CVE-2016-5652 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9540 CVE-2016-5652 libtiff: tiff2pdf JPEG Compression Tables Heap Buffer Overflow CVE-2016-9534 libtiff: TIFFFlushData1 heap-buffer-overflow CVE-2016-9535 libtiff: Predictor heap-buffer-overflow CVE-2016-9536 libtiff: t2p_process_jpeg_strip heap-buffer-overflow CVE-2016-9537 libtiff: Out-of-bounds write vulnerabilities in tools/tiffcrop.c CVE-2016-9540 libtiff: cpStripToTile heap-buffer-overflow CVE-2016-9533 libtiff: PixarLog horizontalDifference heap-buffer-overflow CVE-2015-8870 libtiff: Integer overflow in tools/bmp2tiff.c cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:6 RHSA-2017:0238: thunderbird security update (Important) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.7.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jann Horn, Filipe Gomes, Nils, Armin Razmjou, Christian Holler, Gary Kwong, Andre Bargull, Jan de Mooij, Tom Schuster, Oriol, Rh0, Nicolas Gregoire, and Jerri Rice as the original reporters. Important Copyright 2017 Red Hat, Inc. CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5390 CVE-2017-5396 CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01) CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02) CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02) CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02) CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02) CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02) CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02) CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 RHSA-2017:0252: ntp security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es): * It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources. (CVE-2016-7426) * A flaw was found in the control mode functionality of ntpd. A remote attacker could send a crafted control mode packet which could lead to information disclosure or result in DDoS amplification attacks. (CVE-2016-9310) * A flaw was found in the way ntpd implemented the trap service. A remote attacker could send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. (CVE-2016-9311) * A flaw was found in the way ntpd running on a host with multiple network interfaces handled certain server responses. A remote attacker could use this flaw which would cause ntpd to not synchronize with the source. (CVE-2016-7429) * A flaw was found in the way ntpd calculated the root delay. A remote attacker could send a specially-crafted spoofed packet to cause denial of service or in some special cases even crash. (CVE-2016-7433) Moderate Copyright 2017 Red Hat, Inc. CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 CVE-2016-9310 ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector CVE-2016-7429 ntp: Attack on interface selection CVE-2016-7426 ntp: Client rate limiting and server responses CVE-2016-7433 ntp: Broken initial sync calculations regression CVE-2016-9311 ntp: Null pointer dereference when trap service is enabled cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0254: spice security update (Moderate) Red Hat Enterprise Linux 7 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. Security Fix(es): * A vulnerability was discovered in spice in the server's protocol handling. An authenticated attacker could send crafted messages to the spice server causing a heap overflow leading to a crash or possible code execution. (CVE-2016-9577) * A vulnerability was discovered in spice in the server's protocol handling. An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. (CVE-2016-9578) These issues were discovered by Frediano Ziglio (Red Hat). Moderate Copyright 2017 Red Hat, Inc. CVE-2016-9577 CVE-2016-9578 CVE-2016-9578 spice: Remote DoS via crafted message CVE-2016-9577 spice: Buffer overflow in main_channel_alloc_msg_rcv_buf when reading large messages cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0269: java-1.7.0-openjdk security update (Critical) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es): * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Critical Copyright 2017 Red Hat, Inc. CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289 CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104) CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:5 RHSA-2017:0276: bind security update (Moderate) Red Hat Enterprise Linux 7 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled query responses when both DNS64 and RPZ were used. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure or a null pointer dereference via a specially crafted DNS response. (CVE-2017-3135) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Ramesh Damodaran (Infoblox) and Aliaksandr Shubnik (Infoblox) as the original reporter. Moderate Copyright 2017 Red Hat, Inc. CVE-2017-3135 CVE-2017-3135 bind: Assertion failure when using DNS64 and RPZ Can Lead to Crash cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0286: openssl security update (Moderate) Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. (CVE-2017-3731) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610) Moderate Copyright 2017 Red Hat, Inc. CVE-2016-8610 CVE-2017-3731 CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS CVE-2017-3731 openssl: Truncated packet could crash via OOB read cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0294: kernel security update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074, Important) Important Copyright 2017 Red Hat, Inc. CVE-2017-6074 CVE-2017-6074 kernel: use after free in dccp protocol cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0295: kernel-rt security update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074, Important) Important Copyright 2017 Red Hat, Inc. CVE-2017-6074 CVE-2017-6074 kernel: use after free in dccp protocol cpe:/a:redhat:rhel_extras_rt:7 RHSA-2017:0372: kernel-aarch64 security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-aarch64 package contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. Bug Fix(es): * Previously, the operating system did not support the Mellanox ConnectX-4 PCIe Network Interface Controllers (NIC) in Ethernet mode. This update enables Ethernet support in the mlx5 driver. As a result, the Mellanox ConnectX-4 PCIe NICs now work in Ethernet mode as expected. (BZ#1413108) * On the Qualcomm Datacenter Technologies server platform with Qualcomm Datacenter Technologies Centriq 2400 CPU (QDF2400v1) memory accesses sometimes allocated Translation Lookaside Buffer (TLB) entries using an incorrect Address Space ID (ASID). This could consequently result in memory corruption and crashes under certain conditions. The underlying source code has been modified to handle the TTBRx_EL1[ASID] and TTBRx_EL1[BADDR] fields separately using a reserved ASID, and the described problem no longer occurs. (BZ#1421765) Important Copyright 2017 Red Hat, Inc. CVE-2016-5195 CVE-2016-7039 CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0386: kernel security, bug fix, and enhancement update (Important) Red Hat Enterprise Linux 7 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important) * A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important) * The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate) Red Hat would like to thank Philip Pettersson for reporting CVE-2016-8655. Additional Changes: Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2940041. Important Copyright 2017 Red Hat, Inc. CVE-2016-8630 CVE-2016-8655 CVE-2016-9083 CVE-2016-9084 CVE-2016-9083 kernel: State machine confusion bug in vfio driver leading to memory corruption CVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio driver CVE-2016-8630 kernel: kvm: x86: NULL pointer dereference during instruction decode CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0387: kernel-rt security and bug fix update (Important) Red Hat Enterprise Linux 7 The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2016-8655, Important) * A flaw was discovered in the Linux kernel's implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. (CVE-2016-9083, Important) * The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. (CVE-2016-9084, Moderate) Red Hat would like to thank Philip Pettersson for reporting CVE-2016-8655. Bug Fix(es): * Previously, the asynchronous page fault woke code references spinlocks, which were actually sleeping locks in the RT kernel. Because of this, when the code was executed from the exception context, a bug warning appeared on the console. With this update, the regular wait queue and spinlock code in this area has been modified to use simple-wait-queue and raw-spinlocks. This code change enables the asynchronous page fault code to run in a non-preemptable state without bug warnings. (BZ#1418035) Important Copyright 2017 Red Hat, Inc. CVE-2016-8630 CVE-2016-8655 CVE-2016-9083 CVE-2016-9084 CVE-2016-9083 kernel: State machine confusion bug in vfio driver leading to memory corruption CVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio driver CVE-2016-8630 kernel: kvm: x86: NULL pointer dereference during instruction decode CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free kernel-rt: update to the RHEL7.3.z batch#3 source tree [rt-7.3.z] cpe:/a:redhat:rhel_extras_rt:7 RHSA-2017:0388: ipa security and bug fix update (Moderate) Red Hat Enterprise Linux 7 Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * It was found that IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys. (CVE-2017-2590) This issue was discovered by Fraser Tweedale (Red Hat). Bug Fix(es): * Previously, during an Identity Management (IdM) replica installation that runs on domain level "1" or higher, Directory Server was not configured to use TLS encryption. As a consequence, installing a certificate authority (CA) on that replica failed. Directory Server is now configured to use TLS encryption during the replica installation and as a result, the CA installation works as expected. (BZ#1410760) * Previously, the Identity Management (IdM) public key infrastructure (PKI) component was configured to listen on the "::1" IPv6 localhost address. In environments have the the IPv6 protocol disabled, the replica installer was unable to retrieve the Directory Server certificate, and the installation failed. The default listening address of the PKI connector has been updated from the IP address to "localhost". As a result, the PKI connector now listens on the correct addresses in IPv4 and IPv6 environments. (BZ#1416481) * Previously, when installing a certificate authority (CA) on a replica, Identity Management (IdM) was unable to provide third-party CA certificates to the Certificate System CA installer. As a consequence, the installer was unable to connect to the remote master if the remote master used a third-party server certificate, and the installation failed. This updates applies a patch and as a result, installing a CA replica works as expected in the described situation. (BZ#1415158) * When installing a replica, the web server service entry is created on the Identity Management (IdM) master and replicated to all IdM servers. Previously, when installing a replica without a certificate authority (CA), in certain situations the service entry was not replicated to the new replica on time, and the installation failed. The replica installer has been updated and now waits until the web server service entry is replicated. As a result, the replica installation no longer fails in the described situation. (BZ#1416488) Moderate Copyright 2017 Red Hat, Inc. CVE-2017-2590 ipa-ca-install fails on replica when IPA Master is installed without CA CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full IPA replica install fails with dirsrv errors. replication race condition prevents IPA to install cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0396: qemu-kvm security and bug fix update (Important) Red Hat Enterprise Linux 7 Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es): * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Bug Fix(es): * When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a "block I/O error in device" message and the qemu-kvm process exited with a segmentation fault. This update fixes how the system_reset QEMU signal is handled in the above scenario. As a result, if a guest crashes due to no space left on the device, qemu-kvm continues running and the guest can be reset as expected. (BZ#1420049) Important Copyright 2017 Red Hat, Inc. CVE-2017-2615 CVE-2017-2620 CVE-2017-2615 Qemu: display: cirrus: oob access while doing bitblt copy backward mode system_reset should clear pending request for error (virtio-blk) Remove dependencies required by spice on ppc64le CVE-2017-2620 Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0461: firefox security update (Critical) Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.0 ESR. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Nils, Jerri Rice, Rh0, Anton Eliasson, David Kohlbrenner, Ivan Fratric of Google Project Zero, Anonymous, Eric Lawrence of Chrome Security, Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, Kan-Ru Chen, and Nathan Froyd as the original reporters. Critical Copyright 2017 Red Hat, Inc. CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 CVE-2017-5400 Mozilla: asm.js JIT-spray bypass of ASLR and DEP (MFSA 2017-06) CVE-2017-5401 Mozilla: Memory Corruption when handling ErrorResult (MFSA 2017-06) CVE-2017-5402 Mozilla: Use-after-free working with events in FontFace objects (MFSA 2017-06) CVE-2017-5404 Mozilla: Use-after-free working with ranges in selections (MFSA 2017-06) CVE-2017-5407 Mozilla: Pixel and history stealing via floating-point timing side channel with SVG filters (MFSA 2017-06) CVE-2017-5410 Mozilla: Memory corruption during JavaScript garbage collection incremental sweeping (MFSA 2017-06) CVE-2017-5408 Mozilla: Cross-origin reading of video captions in violation of CORS (MFSA 2017-06) CVE-2017-5405 Mozilla: FTP response codes can cause use of uninitialized values for ports (MFSA 2017-06) CVE-2017-5398 Mozilla: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 (MFSA 2017-06) cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0498: thunderbird security update (Important) Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.8.0. Security Fix(es): * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Nils, Jerri Rice, Rh0, Anton Eliasson, David Kohlbrenner, Ivan Fratric of Google Project Zero, Anonymous, Eric Lawrence of Chrome Security, Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull, Kan-Ru Chen, and Nathan Froyd as the original reporters. Important Copyright 2017 Red Hat, Inc. CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 CVE-2017-5400 Mozilla: asm.js JIT-spray bypass of ASLR and DEP (MFSA 2017-06) CVE-2017-5401 Mozilla: Memory Corruption when handling ErrorResult (MFSA 2017-06) CVE-2017-5402 Mozilla: Use-after-free working with events in FontFace objects (MFSA 2017-06) CVE-2017-5404 Mozilla: Use-after-free working with ranges in selections (MFSA 2017-06) CVE-2017-5407 Mozilla: Pixel and history stealing via floating-point timing side channel with SVG filters (MFSA 2017-06) CVE-2017-5410 Mozilla: Memory corruption during JavaScript garbage collection incremental sweeping (MFSA 2017-06) CVE-2017-5408 Mozilla: Cross-origin reading of video captions in violation of CORS (MFSA 2017-06) CVE-2017-5405 Mozilla: FTP response codes can cause use of uninitialized values for ports (MFSA 2017-06) CVE-2017-5398 Mozilla: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 (MFSA 2017-06) cpe:/o:redhat:enterprise_linux:5 cpe:/a:redhat:rhel_productivity:5 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0558: firefox security update (Critical) Red Hat Enterprise Linux 7 Mozilla Firefox is an open source web browser. Security Fix(es): * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters. Critical Copyright 2017 Red Hat, Inc. CVE-2017-5428 CVE-2017-5428 Mozilla: integer overflow in createImageBitmap() (MFSA 2017-08) cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0837: icoutils security update (Important) Red Hat Enterprise Linux 7 The icoutils are a set of programs for extracting and converting images in Microsoft Windows icon and cursor files. These files usually have the extension .ico or .cur, but they can also be embedded in executables or libraries. Security Fix(es): * Multiple vulnerabilities were found in icoutils, in the wrestool program. An attacker could create a crafted executable that, when read by wrestool, could result in memory corruption leading to a crash or potential code execution. (CVE-2017-5208, CVE-2017-5333, CVE-2017-6009) * A vulnerability was found in icoutils, in the wrestool program. An attacker could create a crafted executable that, when read by wrestool, could result in failure to allocate memory or an over-large memcpy operation, leading to a crash. (CVE-2017-5332) * Multiple vulnerabilities were found in icoutils, in the icotool program. An attacker could create a crafted ICO or CUR file that, when read by icotool, could result in memory corruption leading to a crash or potential code execution. (CVE-2017-6010, CVE-2017-6011) Important Copyright 2017 Red Hat, Inc. CVE-2017-5208 CVE-2017-5332 CVE-2017-5333 CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 CVE-2017-5208 icoutils: Check_offset overflow on 64-bit systems CVE-2017-5333 icoutils: Integer overflow vulnerability in extract.c CVE-2017-5332 icoutils: Access to unallocated memory possible in extract.c CVE-2017-6009 icoutils: Buffer overflow in the decode_ne_resource_id function CVE-2017-6010 icoutils: Buffer overflow in the extract_icons function CVE-2017-6011 icoutils: Buffer overflow in the simple_vec function cpe:/o:redhat:enterprise_linux:7 RHSA-2017:0838: openjpeg security update (Moderate) Red Hat Enterprise Linux 7 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix(es): * Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in OpenJPEG. A specially crafted JPEG2000 image could cause an application using OpenJPEG to crash or, potentially, execute arbitrary code. (CVE-2016-5139, CVE-2016-5158, CVE-2016-5159, CVE-2016-7163) * An out-of-bounds read vulnerability was found in OpenJPEG, in the j2k_to_image tool. Converting a specially crafted JPEG2000 file to another format could cause the application to crash or, potentially, disclose some data from the heap. (CVE-2016-9573) * A heap-based buffer overflow vulnerability was found in OpenJPEG. A specially crafted JPEG2000 image, when read by an application using OpenJPEG, could cause the application to crash or, potentially, execute arbitrary code. (CVE-2016-9675) Red Hat would like to thank Liu Bingchang (IIE) for reporting CVE-2016-9573. The CVE-2016-9675 issue was discovered by Doran Moppert (Red Hat Product Security). Moderate Copyright 2017 Red Hat, Inc. CVE-2016-5139 CVE-2016-5158 CVE-2016-5159 CVE-2016-7163 CVE-2016-9573 CVE-2016-9675 CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045 CVE-2016-9573 openjpeg: heap out-of-bounds read due to insufficient check in imagetopnm() cpe:/o:redhat:enterprise_linux:7 redhat-release-client redhat-release-server redhat-release-workstation redhat-release-computenode java-1.7.0-openjdk java-1.7.0-openjdk-src java-1.7.0-openjdk-demo java-1.7.0-openjdk-headless java-1.7.0-openjdk-javadoc java-1.7.0-openjdk-devel java-1.7.0-openjdk-accessibility kernel kernel-headers kernel-tools kernel-tools-libs perf python-perf kernel-debug-devel kernel-tools-libs-devel kernel-debug kernel-devel kernel-bootwrapper kernel-kdump kernel-kdump-devel kernel-doc kernel-abi-whitelists openssl openssl-devel openssl-perl openssl-static openssl-libs openssl098e gnutls gnutls-dane gnutls-c++ gnutls-utils gnutls-devel java-1.6.0-openjdk java-1.6.0-openjdk-demo java-1.6.0-openjdk-javadoc java-1.6.0-openjdk-devel java-1.6.0-openjdk-src tomcat tomcat-webapps tomcat-lib tomcat-javadoc tomcat-docs-webapp tomcat-admin-webapps tomcat-jsp-2.2-api tomcat-servlet-3.0-api tomcat-jsvc tomcat-el-2.2-api libtasn1 libtasn1-tools libtasn1-devel mariadb mariadb-libs mariadb-embedded-devel mariadb-bench mariadb-embedded mariadb-test mariadb-devel mariadb-server json-c json-c-devel json-c-doc qemu-kvm libcacard libcacard-devel qemu-guest-agent qemu-img libcacard-tools qemu-kvm-common qemu-kvm-tools redhat-release firefox xulrunner xulrunner-devel dovecot dovecot-pigeonhole dovecot-mysql dovecot-devel dovecot-pgsql lzo lzo-minilzo lzo-devel samba libwbclient-devel samba-python samba-winbind-krb5-locator samba-dc-libs samba-winbind-modules samba-winbind-clients samba-devel samba-pidl samba-libs libwbclient samba-dc samba-test-devel libsmbclient-devel samba-common samba-winbind libsmbclient samba-test samba-client samba-vfs-glusterfs libvirt libvirt-daemon-config-network libvirt-daemon-driver-network libvirt-daemon-driver-secret libvirt-login-shell libvirt-daemon libvirt-daemon-driver-storage libvirt-daemon-driver-nodedev libvirt-daemon-config-nwfilter libvirt-devel libvirt-daemon-driver-lxc libvirt-daemon-driver-interface libvirt-daemon-lxc libvirt-docs libvirt-client libvirt-python libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-lock-sanlock libvirt-daemon-kvm nss nss-devel nss-pkcs11-devel nss-tools nspr nspr-devel nss-sysinit httpd mod_proxy_html mod_ldap httpd-tools httpd-devel mod_session httpd-manual mod_ssl resteasy-base resteasy-base-tjws resteasy-base-atom-provider resteasy-base-jaxrs-all resteasy-base-jettison-provider resteasy-base-providers-pom resteasy-base-jackson-provider resteasy-base-jaxrs-api resteasy-base-javadoc resteasy-base-jaxrs resteasy-base-jaxb-provider php php-pdo php-bcmath php-intl php-soap php-ldap php-pgsql php-xml php-common php-gd php-odbc php-mysqlnd php-process php-embedded php-recode php-snmp php-xmlrpc php-cli php-pspell php-devel php-dba php-mbstring php-mysql php-enchant php-fpm 389-ds-base 389-ds-base-libs 389-ds-base-devel nss-util nss-util-devel nss-softokn nss-softokn-freebl-devel nss-softokn-devel nss-softokn-freebl mod_wsgi glibc glibc-devel nscd glibc-common glibc-headers glibc-utils glibc-static httpcomponents-client httpcomponents-client-javadoc squid squid-sysvinit jakarta-commons-httpclient jakarta-commons-httpclient-javadoc jakarta-commons-httpclient-manual jakarta-commons-httpclient-demo procmail haproxy bash bash-doc xerces-j2 xerces-j2-demo xerces-j2-javadoc-apis xerces-j2-scripts xerces-j2-javadoc-xni xerces-j2-javadoc-impl xerces-j2-javadoc-other xerces-j2-javadoc polkit-qt polkit-qt-devel polkit-qt-doc rsyslog rsyslog-mmaudit rsyslog-crypto rsyslog-relp rsyslog-mysql rsyslog-libdbi rsyslog-mmjsonparse rsyslog-doc rsyslog-elasticsearch rsyslog-mmsnmptrapd rsyslog-udpspoof rsyslog-gssapi rsyslog-pgsql rsyslog-mmnormalize rsyslog-gnutls rsyslog-snmp libxml2 libxml2-devel libxml2-static libxml2-python wireshark wireshark-devel wireshark-gnome wget php-tidy php-imap php-zts cups-filters cups-filters-devel cups-filters-libs shim mokutil shim-unsigned shim-signed libvncserver libvncserver-devel kdenetwork kdenetwork-kget-libs kdenetwork-krfb-libs kdenetwork-krdc kdenetwork-common kdenetwork-kdnssd kdenetwork-kget kdenetwork-devel kdenetwork-krdc-devel kdenetwork-kopete-libs kdenetwork-kopete kdenetwork-krdc-libs kdenetwork-krfb kdenetwork-fileshare-samba kdenetwork-kopete-devel libXfont libXfont-devel ruby ruby-libs ruby-devel rubygem-json rubygems-devel ruby-irb rubygem-minitest rubygem-bigdecimal rubygems rubygem-rdoc rubygem-io-console ruby-doc ruby-tcltk rubygem-rake rubygem-psych wpa_supplicant rpm rpm-python rpm-cron rpm-build rpm-build-libs rpm-devel rpm-sign rpm-libs rpm-apidocs xorg-x11-server xorg-x11-server-Xnest xorg-x11-server-Xdmx xorg-x11-server-source xorg-x11-server-Xephyr xorg-x11-server-common xorg-x11-server-Xvfb xorg-x11-server-Xorg xorg-x11-server-devel bind bind-sdb bind-chroot bind-utils bind-libs bind-libbind-devel bind-devel caching-nameserver bind-license bind-sdb-chroot bind-lite-devel bind-libs-lite mailx jasper jasper-devel jasper-libs jasper-utils ntp sntp ntp-doc ntpdate ntp-perl libyaml libyaml-devel subversion subversion-kde subversion-ruby subversion-python subversion-libs mod_dav_svn subversion-gnome subversion-javahl subversion-tools subversion-perl subversion-devel hivex ocaml-hivex ruby-hivex hivex-devel python-hivex perl-hivex ocaml-hivex-devel pcre pcre-devel pcre-tools pcre-static mdds mdds-devel libmwaw libmwaw-doc libmwaw-tools libmwaw-devel libodfgen libodfgen-doc libodfgen-devel libcmis libcmis-devel libcmis-tools libabw libabw-tools libabw-doc libabw-devel libfreehand libfreehand-doc libfreehand-devel libfreehand-tools libetonyek libetonyek-tools libetonyek-devel libetonyek-doc liblangtag liblangtag-doc liblangtag-gobject liblangtag-devel libreoffice libreoffice-langpack-lt libreoffice-opensymbol-fonts libreoffice-langpack-nn libreoffice-langpack-da autocorr-is libreoffice-langpack-nr libreoffice-langpack-zh-Hant libreoffice-graphicfilter libreoffice-langpack-sl libreoffice-librelogo libreoffice-headless autocorr-de libreoffice-gdb-debug-support libreoffice-langpack-uk autocorr-sr libreoffice-core autocorr-es libreoffice-langpack-ro libreoffice-langpack-ar libreoffice-langpack-eu libreoffice-langpack-pt-BR autocorr-pl libreoffice-postgresql libreoffice-langpack-ts libreoffice-langpack-ta libreoffice-sdk-doc libreoffice-langpack-he libreoffice-langpack-nso autocorr-af autocorr-ga libreoffice-langpack-pl autocorr-fi libreoffice-langpack-mai autocorr-ca autocorr-vi autocorr-da autocorr-hr libreoffice-impress libreoffice-langpack-tr libreoffice-langpack-ga libreoffice-langpack-es autocorr-pt libreoffice-langpack-te libreoffice-langpack-lv libreoffice-base libreoffice-langpack-de autocorr-fa libreoffice-langpack-th autocorr-mn libreoffice-nlpsolver libreoffice-ure libreoffice-langpack-fr autocorr-ru libreoffice-langpack-ss autocorr-sv libreoffice-langpack-zh-Hans libreoffice-langpack-ve libreoffice-writer autocorr-it libreoffice-langpack-mr libreoffice-langpack-ja libreoffice-langpack-pt-PT libreoffice-langpack-sk libreoffice-langpack-cy autocorr-tr autocorr-cs libreoffice-emailmerge libreoffice-langpack-hr libreoffice-langpack-kk libreoffice-langpack-af libreoffice-langpack-fa libreoffice-langpack-pa libreoffice-langpack-gu libreoffice-langpack-nl libreoffice-langpack-or libreoffice-langpack-ru autocorr-sl libreoffice-langpack-si libreoffice-langpack-fi libreoffice-langpack-ca libreoffice-langpack-cs autocorr-sk libreoffice-langpack-it libreoffice-rhino libreoffice-langpack-hu libreoffice-langpack-tn libreoffice-langpack-br autocorr-zh autocorr-nl libreoffice-langpack-st libreoffice-sdk libreoffice-pyuno libreoffice-langpack-ko autocorr-hu autocorr-en libreoffice-math libreoffice-langpack-en autocorr-ja libreoffice-langpack-gl libreoffice-glade libreoffice-langpack-kn libreoffice-filters libreoffice-langpack-as libreoffice-langpack-bn autocorr-lb autocorr-fr libreoffice-draw libreoffice-pdfimport libreoffice-langpack-dz libreoffice-langpack-sv libreoffice-wiki-publisher autocorr-lt libreoffice-langpack-hi libreoffice-ogltrans libreoffice-langpack-bg libreoffice-langpack-zu libreoffice-langpack-et libreoffice-calc libreoffice-langpack-xh libreoffice-langpack-sr libreoffice-langpack-ml libreoffice-xsltfilter libreoffice-langpack-nb autocorr-ko libreoffice-langpack-el autocorr-bg libreoffice-bsh autocorr-ro ppc64-diag powerpc-utils openssh openssh-ldap openssh-server openssh-keycat openssh-askpass openssh-server-sysvinit openssh-clients pam_ssh_agent_auth virt-who krb5 krb5-pkinit krb5-devel krb5-server krb5-workstation krb5-server-ldap krb5-libs ipa ipa-python ipa-client ipa-admintools ipa-server ipa-server-trust-ad cogl cogl-doc cogl-devel clutter clutter-devel clutter-doc gnome-shell gnome-shell-browser-plugin mutter mutter-devel thunderbird freetype freetype-devel freetype-demos unzip kernel-rt kernel-rt-trace kernel-rt-trace-devel kernel-rt-devel kernel-rt-debug kernel-rt-debug-devel kernel-rt-virt kernel-rt-virt-devel kernel-rt-doc slapi-nis setroubleshoot setroubleshoot-server setroubleshoot-doc postgresql postgresql-plpython postgresql-server postgresql-plperl postgresql-devel postgresql-docs postgresql-contrib postgresql-libs postgresql-pltcl postgresql-test postgresql-upgrade flac flac-devel flac-libs java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-demo java-1.8.0-openjdk-headless java-1.8.0-openjdk-javadoc java-1.8.0-openjdk-src java-1.8.0-openjdk-accessibility pcs python-clufter kexec-tools-anaconda-addon kexec-tools-eppic kexec-tools abrt-addon-kerneloops abrt-libs abrt-devel abrt-console-notification abrt-gui-devel abrt-addon-xorg abrt-addon-vmcore abrt-gui abrt-addon-pstoreoops abrt-desktop abrt abrt-gui-libs abrt-addon-python abrt-cli abrt-python abrt-retrace-client abrt-dbus abrt-tui abrt-addon-ccpp abrt-addon-upload-watch abrt-python-doc libreport-plugin-ureport libreport-rhel-anaconda-bugzilla libreport-rhel-bugzilla libreport-gtk libreport-plugin-logger libreport-devel libreport-plugin-mailx libreport-plugin-reportuploader libreport-python libreport-newt libreport libreport-plugin-bugzilla libreport-filesystem libreport-cli libreport-gtk-devel libreport-plugin-kerneloops libreport-plugin-rhtsupport libreport-web libreport-web-devel libreport-compat libreport-anaconda libreport-rhel cups-libs cups-devel cups cups-php cups-lpd cups-ipptool cups-client cups-filesystem mailman libreswan xerces-c xerces-c-devel xerces-c-doc libuser-devel libuser-python libuser lemon sqlite sqlite-tcl sqlite-devel sqlite-doc net-snmp-utils net-snmp net-snmp-libs net-snmp-devel net-snmp-python net-snmp-perl net-snmp-sysvinit net-snmp-agent-libs net-snmp-gui pam pam-devel gdk-pixbuf2 gdk-pixbuf2-devel jakarta-taglibs-standard-javadoc jakarta-taglibs-standard spice-server spice-server-devel spice openldap openldap-servers openldap-servers-overlays openldap-clients openldap-devel compat-openldap openldap-servers-sql libwmf libwmf-lite libwmf-devel java-1.8.0-openjdk-headless-debug java-1.8.0-openjdk-debug java-1.8.0-openjdk-devel-debug java-1.8.0-openjdk-demo-debug java-1.8.0-openjdk-src-debug java-1.8.0-openjdk-javadoc-debug binutils binutils-devel python python-tools python-test tkinter python-libs python-debug python-devel cpio grep libssh2 libssh2-devel libssh2-docs xfsprogs xfsprogs-devel xfsprogs-qa-devel file-devel file-libs file-static file python-magic libcurl-devel libcurl curl rubygem-thor rubygem-thor-doc rubygem-bundler rubygem-bundler-doc realmd realmd-devel-docs tigervnc-server tigervnc tigervnc-server-minimal tigervnc-server-module tigervnc-icons tigervnc-license tigervnc-server-applet rest-devel rest chrony netcf netcf-devel netcf-libs ModemManager-devel ModemManager-glib ModemManager ModemManager-vala ModemManager-glib-devel nm-connection-editor libnm-gtk-devel libnm-gtk network-manager-applet NetworkManager-libreswan-gnome NetworkManager-libreswan NetworkManager-libnm-devel NetworkManager-adsl NetworkManager-devel NetworkManager-wwan NetworkManager NetworkManager-glib-devel NetworkManager-libnm NetworkManager-wifi NetworkManager-tui NetworkManager-team NetworkManager-config-server NetworkManager-glib NetworkManager-bluetooth NetworkManager-config-routing-rules libipa_hbac sssd-ad sssd-krb5 libsss_simpleifp-devel sssd-krb5-common sssd-tools libsss_nss_idmap sssd-ldap libsss_simpleifp sssd-libwbclient sssd-ipa sssd-dbus python-libsss_nss_idmap sssd-libwbclient-devel python-sss sssd-proxy sssd-common-pac libsss_nss_idmap-devel sssd-common python-libipa_hbac libsss_idmap-devel libipa_hbac-devel libsss_idmap sssd python-sss-murmur sssd-client python-sssdconfig openhpi openhpi-libs openhpi-devel pacemaker-cluster-libs pacemaker-libs pacemaker-nagios-plugins-metadata pacemaker-cts pacemaker pacemaker-libs-devel pacemaker-cli pacemaker-doc pacemaker-remote grub2 grub2-tools grub2-efi-modules grub2-efi kernel-rt-debug-kvm kernel-rt-trace-kvm kernel-rt-kvm autofs unbound-devel unbound unbound-python unbound-libs apache-commons-collections-testframework apache-commons-collections apache-commons-collections-testframework-javadoc apache-commons-collections-javadoc git git-daemon git-svn git-all git-cvs git-email perl-Git-SVN git-bzr git-gui gitweb git-hg emacs-git gitk emacs-git-el perl-Git git-p4 libpng12-devel libpng12 libpng-devel libpng-static libpng libreoffice-langpack-ms libreoffice-langpack-ur libreoffice-officebean bind-pkcs11-utils bind-pkcs11-devel bind-pkcs11-libs bind-pkcs11 rpcbind samba-common-libs ctdb samba-common-tools samba-test-libs ctdb-tests samba-client-libs ctdb-devel pyldb ldb-tools libldb pyldb-devel libldb-devel gnutls-guile java-1.8.0-openjdk-accessibility-debug sos polkit polkit-devel polkit-docs samba-domainjoin-gui samba-doc samba-winbind-devel samba-swat samba-glusterfs graphite2-devel graphite2 tdb-tools libtdb-devel python-tdb libtdb libtalloc libtalloc-devel pytalloc-devel pytalloc libtevent python-tevent libtevent-devel ipa-server-selinux openchange openchange-client openchange-devel openchange-devel-docs samba4-winbind samba4-common samba4-devel samba4-client samba4-dc-libs samba4-dc samba4-libs samba4-winbind-clients samba4-winbind-krb5-locator samba4 samba4-test samba4-python samba4-pidl ipa-server-dns mercurial-hgk emacs-mercurial-el emacs-mercurial mercurial ImageMagick-c++ ImageMagick-devel ImageMagick-c++-devel ImageMagick-doc ImageMagick-perl ImageMagick libndp libndp-devel setroubleshoot-plugins ocaml-labltk ocaml-camlp4-devel ocaml-labltk-devel ocaml-camlp4 ocaml-runtime ocaml-compiler-libs ocaml-emacs ocaml-docs ocaml-ocamldoc ocaml-source ocaml ocaml-x11 golang-misc golang-src golang-bin golang-docs golang-tests golang libtiff-tools libtiff-devel libtiff-static libtiff bsdtar bsdcpio libarchive libarchive-devel python-twisted-web virt-p2v libguestfs-gobject-devel libguestfs-gobject lua-guestfs libguestfs-java-devel libguestfs-java ruby-libguestfs python-libguestfs perl-Sys-Guestfs ocaml-libguestfs-devel ocaml-libguestfs virt-dib libguestfs-tools-c libguestfs-xfs libguestfs-rsync libguestfs-rescue libguestfs-devel libguestfs virt-v2v libguestfs-gfs2 libguestfs-javadoc libguestfs-tools libguestfs-inspect-icons libguestfs-bash-completion libguestfs-man-pages-uk libguestfs-gobject-doc libguestfs-man-pages-ja libvirt-nss libpagemaker-devel libpagemaker libpagemaker-tools libpagemaker-doc poppler-cpp poppler-devel poppler-utils poppler-qt poppler-glib-devel poppler-cpp-devel poppler poppler-qt-devel poppler-demos poppler-glib libnl3-doc libnl3 libnl3-cli libnl3-devel libnma libnma-devel NetworkManager-dispatcher-routing-rules nettle nettle-devel gimp-libs gimp-devel gimp gimp-devel-tools gimp-help-nl gimp-help-ja gimp-help-nn gimp-help-ru gimp-help-de gimp-help-pt_BR gimp-help-sl gimp-help-fr gimp-help-it gimp-help-el gimp-help gimp-help-ca gimp-help-zh_CN gimp-help-sv gimp-help-en_GB gimp-help-ko gimp-help-da gimp-help-es dhcp-devel dhcp-libs dhcp-common dhclient dhcp libkadm5 subscription-manager-migration-data python-rhsm-certificates python-rhsm subscription-manager-gui subscription-manager-plugin-container subscription-manager subscription-manager-migration subscription-manager-initial-setup-addon subscription-manager-plugin-ostree sudo sudo-devel 389-ds-base-snmp 389-ds-base-tests python-firewall firewalld-filesystem firewalld firewall-config firewall-applet squid-migration-script fontconfig fontconfig-devel fontconfig-devel-doc mod_nss resteasy-base-client resteasy-base-resteasy-pom libuuid-devel util-linux libblkid libuuid libmount libblkid-devel uuidd libmount-devel powerpc-utils-python systemd-libs systemd libgudev1-devel systemd-python libgudev1 systemd-networkd systemd-resolved systemd-journal-gateway systemd-devel systemd-sysv libgcrypt libgcrypt-devel policycoreutils-python policycoreutils-gui policycoreutils-newrole policycoreutils-sandbox policycoreutils policycoreutils-devel policycoreutils-restorecond ipsilon-tools-ipa ipsilon-persona ipsilon-saml2-base ipsilon-infosssd ipsilon-authldap ipsilon-filesystem ipsilon-saml2 ipsilon ipsilon-base ipsilon-authgssapi ipsilon-authform ipsilon-client memcached-devel memcached expat expat-devel expat-static vim-minimal vim-common vim-filesystem vim-enhanced vim-X11 vim python2-ipaserver ipa-server-common ipa-common python2-ipalib ipa-python-compat ipa-client-common python2-ipaclient ghostscript-gtk ghostscript-devel ghostscript-cups ghostscript ghostscript-doc gstreamer-plugins-bad-free-devel-docs gstreamer-plugins-bad-free-devel gstreamer-plugins-bad-free gstreamer-plugins-good gstreamer-plugins-good-devel-docs gstreamer1-plugins-good gstreamer1-plugins-bad-free gstreamer1-plugins-bad-free-devel java-1.8.0-openjdk-javadoc-zip-debug java-1.8.0-openjdk-javadoc-zip kernel-aarch64 icoutils openjpeg-libs openjpeg openjpeg-devel 199e2f91fd431d51 ^7[^\d] 1:1.7.0.55-2.4.7.2.el7_0 0:3.10.0-123.1.2.el7 1:1.0.1e-34.el7_0.3 0:0.9.8e-29.el7_0.2 0:3.1.18-9.el7_0 1:1.6.0.0-6.1.13.3.el7_0 0:7.0.42-5.el7_0 0:3.3-5.el7_0 1:5.5.37-1.el7_0 0:0.11-4.el7_0 10:1.5.3-60.el7_0.2 5326810137017186 ^5[^\d] 0:24.6.0-1.el5_10 ^6[^\d] 0:24.6.0-1.el6_5 0:24.6.0-1.el7_0 0:3.10.0-123.4.2.el7 1:2.0.9-7.el6_5.1 1:2.2.10-4.el7_0.1 0:7.0.42-6.el7_0 0:2.03-3.1.el6_5.1 0:2.06-6.el7_0.2 0:4.1.1-35.el7_0 1:1.7.0.65-2.5.1.2.el6_5 1:1.7.0.65-2.5.1.2.el7_0 1:1.6.0.0-6.1.13.4.el5_10 1:1.6.0.0-6.1.13.4.el6_5 1:1.6.0.0-6.1.13.4.el7_0 0:1.1.1-29.el7_0.1 0:3.15.3-7.el5_10 0:4.10.6-1.el5_10 0:3.15.4-7.el7_0 0:4.10.6-1.el7_0 0:24.7.0-1.el5_10 0:24.7.0-1.el6_5 0:24.7.0-1.el7_0 0:2.4.6-18.el7_0 1:2.4.6-18.el7_0 0:3.10.0-123.4.4.el7 10:1.5.3-60.el7_0.5 0:4.1.1-37.el7_0 0:2.3.5-3.el7_0 0:5.4.16-23.el7_0 0:3.10.0-123.6.3.el7 0:1.2.11.15-34.el6_5 0:1.3.1.6-26.el7_0 0:7.0.42-8.el7_0 0:1.0.1e-16.el6_5.15 1:1.0.1e-34.el7_0.4 0:3.16.2-1.el7_0 0:3.16.2-2.el7_0 0:3.4-12.el7_0 0:2.5-118.el5_10.3 0:2.12-1.132.el6_5.4 0:2.17-55.el7_0.1 0:24.8.0-2.el5_10 0:24.8.0-1.el6_5 0:24.8.0-1.el7_0 0:4.2.5-5.el7_0 7:3.3.8-12.el7_0 1:3.0-7jpp.4.el5_10 1:3.1-0.9.el6_5 1:3.1-16.el7_0 0:3.22-17.1.2 0:3.22-25.1.el6_5.1 0:3.22-34.el7_0.1 0:3.10.0-123.8.1.el7 0:1.5.2-3.el7_0 0:4.1.2-15.el6_5.1 0:3.2-33.el5.1 0:4.2.45-5.el7_0.2 0:4.1.2-15.el6_5.2 0:3.2-33.el5_11.4 0:4.2.45-5.el7_0.4 0:3.16.1-2.el6_5 0:3.16.1-7.el6_5 0:3.14.3-12.el6_5 0:3.16.1-4.el5_11 0:3.16.2-7.el7_0 0:2.7.1-12.7.el6_5 0:2.11.0-17.el7_0 0:5.4.16-23.el7_0.1 0:1.1.1-29.el7_0.3 0:0.103.0-10.el7_0 0:7.4.7-7.el7_0 1:1.7.0.71-2.5.3.1.el7_0 1:1.7.0.71-2.5.3.1.el6 1:1.6.0.33-1.13.5.0.el5_11 1:1.6.0.33-1.13.5.0.el7_0 1:1.6.0.33-1.13.5.0.el6_6 0:31.2.0-3.el5_11 0:31.2.0-1.el7_0 0:31.2.0-3.el7_0 0:31.2.0-3.el6_6 1:1.0.1e-34.el7_0.6 0:1.0.1e-30.el6_6.2 0:2.9.1-5.el7_0.1 0:2.7.6-17.el6_6.1 10:1.5.3-60.el7_0.10 0:1.10.3-12.el7_0 0:1.8.10-8.el6_6 0:3.10.0-123.9.2.el7 0:1.14-10.el7_0.1 0:1.12-5.el6_6.1 0:5.4.16-23.el7_0.3 0:5.3.3-40.el6_6 0:1.0.35-15.el7_0.1 0:0.7-8.el7_0 0:0.9.9-9.el7_0.1 0:0.9.7-7.el6_6.1 7:4.10.5-8.el7_0 0:3.1.18-10.el7_0 1:5.5.40-1.el7_0 0:1.4.7-2.el7_0 0:1.4.5-4.el6_6 0:2.0.0.353-22.el7_0 0:1.7.7-22.el7_0 0:2.0.14-22.el7_0 0:4.3.2-22.el7_0 0:1.2.0-22.el7_0 0:4.0.0-22.el7_0 0:0.4.2-22.el7_0 0:0.9.6-22.el7_0 0:2.0.0-22.el7_0 0:31.3.0-4.el5_11 0:31.3.0-3.el7_0 0:31.3.0-3.el6_6 0:3.16.2.3-1.el5_11 0:3.16.2.3-1.el7_0 0:3.16.2.3-2.el7_0 0:3.16.2.3-3.el6_6 0:3.16.2.3-2.el6_6 1:2.0-13.el7_0 0:3.10.0-123.13.1.el7 0:4.11.1-18.el7_0 0:1.15.0-7.el7_0.3 0:1.15.0-25.el6_6 30:9.3.6-25.P1.el5_11.2 32:9.9.4-14.el7_0.1 32:9.8.2-0.30.rc1.el6_6.1 0:12.5-12.el7_0 0:12.4-8.el6_6 0:3.10.0-123.13.2.el7 0:1.900.1-26.el7_0.2 0:1.900.1-16.el6_6.2 0:2.17-55.el7_0.3 0:4.2.6p5-19.el7_0 0:4.2.6p5-2.el6_6 0:1.1.1-29.el7_0.4 0:31.4.0-1.el5_11 0:31.4.0-1.el7_0 0:31.4.0-1.el6_6 1:1.0.1e-34.el7_0.7 0:1.0.1e-30.el6_6.5 1:1.7.0.75-2.5.4.2.el7_0 1:1.7.0.75-2.5.4.0.el6_6 0:1.900.1-26.el7_0.3 0:1.900.1-16.el6_6.3 1:1.6.0.34-1.13.6.1.el5_11 1:1.6.0.34-1.13.6.1.el7_0 1:1.6.0.34-1.13.6.1.el6_6 0:2.17-55.el7_0.5 0:2.12-1.149.el6_6.5 0:0.1.4-11.el7_0 0:0.1.3-4.el6_6 0:3.10.0-123.20.1.el7 1:5.5.41-2.el7_0 0:1.7.14-7.el7_0 0:4.1.1-38.el7_0 0:31.5.0-1.el5_11 0:31.5.0-2.el7_0 0:31.5.0-1.el7_0 0:31.5.0-1.el6_6 0:3.10.0-229.el7 0:1.3.10-5.7.el7 0:1.2.8-16.el7 0:2.4.6-31.el7 1:2.4.6-31.el7 0:2.17-78.el7 0:8.32-14.el7 10:1.5.3-86.el7 0:0.10.3-1.el7 0:0.2.0-4.el7 0:0.0.4-1.el7 0:0.4.1-5.el7 0:0.0.2-1.el7 0:0.0.0-3.el7 0:0.0.4-2.el7 0:0.5.4-8.el7 1:4.2.6.3-5.el7 0:2.6.7-6.el7 0:1.2.24-7.el7 0:1.3.3.1-13.el7 0:6.6.1p1-11.el7 0:0.9.3-9.11.el7 0:0.11-5.el7 0:1.12.2-14.el7 0:4.1.0-18.el7 0:1.14.0-6.el7 0:1.14.4-12.el7 0:3.8.4-45.el7 0:3.8.4-16.el7 0:31.5.0-2.el7_1 32:9.8.2-0.30.rc1.el6_6.2 32:9.9.4-18.el7_1.1 0:2.3.11-15.el6_6.1 0:2.4.11-10.el7_1.1 0:6.0-2.el6_6 0:6.0-15.el7 1:1.0.1e-42.el7_1.4 0:31.5.3-1.el5_11 0:31.5.3-1.el6_6 0:31.5.3-3.el7_1 0:3.10.0-229.1.2.el7 0:3.10.0-229.1.2.rt56.141.2.el7_1 0:0.54-3.el7_1 0:4.1.0-18.el7_1.3 0:2.0.5-7.el5_11 0:3.0.47-6.el6_6.1 0:3.2.17-4.1.el7_1 0:2.9.1-5.el7_1.2 0:8.4.20-2.el6_6 0:9.2.10-2.el7_1 0:31.6.0-2.el5_11 0:31.6.0-2.el6_6 0:31.6.0-2.el7_1 0:1.2.1-7.el6_6 0:1.3.0-5.el7_1 0:31.6.0-1.el5_11 0:31.6.0-1.el6_6 0:31.6.0-1.el7_1 0:1.15.0-26.el6_6 0:1.15.0-33.el7_1 1:1.7.0.79-2.5.5.1.el6_6 1:1.7.0.79-2.5.5.1.el7_1 1:1.6.0.35-1.13.7.1.el5_11 1:1.6.0.35-1.13.7.1.el6_6 1:1.6.0.35-1.13.7.1.el7_1 1:1.8.0.45-28.b13.el6_6 1:1.8.0.45-30.b13.el7_1 0:1.3.3.1-16.el7_1 0:0.9.137-13.el7_1.2 0:3.10.0-229.4.2.rt56.141.6.el7_1 0:7.0.54-2.el7_1 0:2.0.7-19.el7_1.2 0:3.10.0-229.4.2.el7 0:38.0-4.el5_11 0:38.0-4.el6_6 0:38.0-3.el7_1 10:1.5.3-86.el7_1.2 0:31.7.0-1.el5_11 0:31.7.0-1.el6_6 0:31.7.0-1.el7_1 0:1.0.1e-30.el6_6.9 1:1.0.1e-42.el7_1.6 0:2.1.11-22.el7_1 0:2.1.11-23.el7_1 1:2.0-17.el7_1 0:1.0.1e-30.el6_6.11 1:1.0.1e-42.el7_1.8 1:1.4.2-67.el6_6.1 1:1.6.3-17.el7_1.1 0:5.4.16-36.el7_1 0:3.10.0-229.7.2.el7 0:3.10.0-229.7.2.rt56.141.6.el7_1 3:2.1.15-21.el7_1 0:3.12-10.1.el7_1 0:3.19.1-1.el6_6 0:3.19.1-3.el6_6 0:3.19.1-1.el7_1 0:3.19.1-3.el7_1 0:3.1.1-7.el7_1 0:8.4.20-3.el6_6 0:9.2.13-1.el7_1 0:38.1.0-1.el5_11 0:38.1.0-1.el6_6 0:38.1.0-1.el7_1 1:1.8.0.51-0.b16.el6_6 1:1.8.0.51-1.b16.el7_1 1:1.7.0.85-2.6.1.3.el6_6 1:1.7.0.85-2.6.1.2.el7_1 32:9.9.4-18.el7_1.2 0:31.8.0-1.el5_11 0:31.8.0-1.el6_6 0:31.8.0-1.el7_1 0:0.60-7.el7_1 10:1.5.3-86.el7_1.5 0:1.14.4-12.el7_1.1 32:9.8.2-0.37.rc1.el6_7.2 32:9.9.4-18.el7_1.3 1:1.6.0.36-1.13.8.1.el5_11 1:1.6.0.36-1.13.8.1.el6_7 1:1.6.0.36-1.13.8.1.el7_1 0:3.10.0-229.11.1.el7 0:3.10.0-229.11.1.rt56.141.11.el7_1 0:38.1.1-1.el5_11 0:38.1.1-1.el6_7 0:38.1.1-1.el7_1 0:38.2.0-4.el5_11 0:38.2.0-4.el6_7 0:38.2.0-4.el7_1 0:3.7.17-6.el7_1.1 1:5.5-54.el6_7.1 1:5.7.2-20.el7_1.1 0:1.1.1-20.el6_7.1 0:1.1.8-12.el7_1.1 1:5.5.44-1.el7_1 0:2.4.6-31.el7_1.1 1:2.4.6-31.el7_1.1 0:38.2.0-1.el7_1 0:38.2.1-1.el5_11 0:38.2.1-1.el6_7 0:38.2.1-1.el7_1 0:2.24.1-6.el6_7 0:2.28.2-5.el7_1 0:1.1.1-11.7.el6_7 0:1.1.2-14.el7_1 0:3.14.3-23.el6_7 0:3.16.2.3-13.el7_1 0:0.9.139-9.el6_7.1 0:0.9.137-13.el7_1.4 32:9.8.2-0.37.rc1.el6_7.4 32:9.9.4-18.el7_1.5 0:1.4.5-5.el6_7 0:1.4.7-3.el7_1 0:0.12.4-9.el7_1.1 0:1.5.4-2.el6_7.1 0:1.5.4-4.el7_1.1 0:1.7.14-7.el7_1.1 0:3.10.0-229.14.1.el7 0:3.10.0-229.14.1.rt56.141.13.el7_1 10:1.5.3-86.el7_1.6 0:38.3.0-2.el5_11 0:38.3.0-2.el6_7 0:38.3.0-2.el7_1 0:2.3.43-29.el5_11 0:2.3.43_2.2.29-29.el5_11 0:2.4.40-6.el6_7 0:2.4.39-7.el7_1 0:38.3.0-1.el5_11 0:38.3.0-1.el6_7 0:38.3.0-1.el7_1 0:0.12.4-9.el7_1.3 0:0.2.8.4-25.el6_7 0:0.2.8.4-41.el7_1 1:1.8.0.65-0.b17.el6_7 1:1.8.0.65-2.b17.el7_1 1:1.7.0.91-2.6.2.2.el6_7 1:1.7.0.91-2.6.2.1.el7_1 0:4.2.6p5-5.el6_7.2 0:4.2.6p5-19.el7_1.3 10:1.5.3-86.el7_1.8 0:3.10.0-229.20.1.rt56.141.14.el7_1 0:3.10.0-229.20.1.el7 0:3.15-5.el7_1 0:3.19.1-5.el6_7 0:4.10.8-2.el6_7 0:3.19.1-2.el6_7 0:4.10.8-2.el7_1 0:3.19.1-7.el7_1.2 0:3.19.1-4.el7_1 0:38.4.0-1.el5_11 0:38.4.0-1.el6_7 0:38.4.0-1.el7_1 0:9.2.14-1.el7_1 0:2.23.52.0.1-55.el7 1:1.6.0.37-1.13.9.4.el5_11 1:1.6.0.37-1.13.9.4.el6_7 1:1.6.0.37-1.13.9.4.el7_1 0:6.6.1p1-22.el7 0:0.9.3-9.22.el7 0:2.7.5-34.el7 0:2.11-24.el7 0:2.20-2.el7 0:2.4.40-8.el7 0:1.4.3-10.el7 0:3.2.2-2.el7 0:3.10.0-327.el7 0:1.13.2-10.el7 0:5.11-31.el7 0:7.29.0-25.el7 0:2.17-106.el7_2.1 0:0.19.1-1.el7 0:1.7.8-3.el7 0:0.16.1-5.el7 0:2.17-105.el7 0:4.2.6p5-22.el7 0:1.3.1-3.el7 0:0.7.92-3.el7 0:2.1.1-1.el7 0:0.2.8-1.el7 0:0.9.143-15.el7 0:1.1.0-8.git20130913.el7 0:1.0.6-2.el7 0:1.0.6-3.el7 1:1.0.6-27.el7 1:5.7.2-24.el7 0:1.13.0-40.el7 0:1.0.35-21.el7 0:3.4.0-2.el7 7:3.3.8-26.el7 0:1.1.13-10.el7 0:1.10.14-7.el7 1:2.02-0.29.el7 0:3.10.0-327.rt56.204.el7 1:5.0.7-54.el7 0:1.4.20-26.el7 0:2.1.11-35.el7 0:2.1.11-31.el7 0:38.4.0-1.el7_2 0:3.2.1-22.el7_2 0:2.9.1-6.el7_2.2 0:3.10.0-327.3.1.el7 0:1.8.3.1-6.el7 0:1.2.50-7.el7_2 2:1.5.13-7.el7_2 0:1.0.1e-42.el6_7.1 1:1.0.1e-51.el7_2.1 1:4.2.8.2-11.el6_7.1 1:4.3.7.2-5.el7_2.1 1:2.02-0.33.el7_2 32:9.8.2-0.37.rc1.el6_7.5 32:9.9.4-29.el7_2.1 0:38.5.0-2.el5_11 0:38.5.0-2.el6_7 0:38.5.0-3.el7_2 0:38.5.0-1.el5_11 0:38.5.0-1.el6_7 0:38.5.0-1.el7_2 0:0.2.0-11.el6_7 0:0.2.0-33.el7_2 0:4.2.3-11.el7_2 0:3.19.1-8.el6_7 0:3.19.1-19.el7_2 0:1.0.1e-42.el6_7.2 1:1.0.1e-51.el7_2.2 0:1.1.13-3.el6_7.1 0:1.1.20-1.el7_2.2 0:2.8.5-19.el6_7 0:3.3.8-14.el7_2 0:6.6.1p1-23.el7_2 0:0.9.3-9.23.el7_2 1:1.8.0.71-2.b15.el7_2 1:1.7.0.95-2.6.4.1.el5_11 1:1.7.0.95-2.6.4.0.el7_2 0:4.2.6p5-5.el6_7.4 0:4.2.6p5-22.el7_2.1 0:3.10.0-327.4.5.el7 0:3.10.0-327.4.5.rt56.206.el7_2 1:1.6.0.38-1.13.10.0.el5_11 1:1.6.0.38-1.13.10.0.el6_7 1:1.6.0.38-1.13.10.0.el7_2 0:38.6.0-1.el5_11 0:38.6.0-1.el6_7 0:38.6.0-1.el7_2 30:9.3.6-25.P1.el5_11.6 32:9.8.2-0.37.rc1.el6_7.6 32:9.9.4-29.el7_2.2 10:1.5.3-105.el7_2.3 0:2.17-106.el7_2.4 0:3.10.0-327.10.1.el7 0:3.2-35.el7_2.3 0:0.112-6.el7_2 0:38.6.1-1.el5_11 0:38.6.1-1.el6_7 0:38.6.1-1.el7_2 0:1.3.4.0-26.el7_2 0:3.10.0-327.10.1.rt56.211.el7_2 0:1.0.1e-42.el6_7.4 1:1.0.1e-51.el7_2.4 0:9.2.15-1.el7_2 0:3.19.1-9.el7_2 0:0.9.8e-20.el6_7.1 0:0.9.8e-29.el7_2.3 0:38.7.0-1.el5_11 0:38.7.0-1.el6_7 0:38.7.0-1.el7_2 0:1.4.2-2.el6_7.1 0:1.4.3-10.el7_2.1 0:3.1.1-8.el7_2 0:3.6.23-25.el6_7 0:4.2.3-12.el7_2 30:9.3.6-25.P1.el5_11.8 32:9.8.2-0.37.rc1.el6_7.7 32:9.9.4-29.el7_2.3 0:0.9.3-9.25.el7_2 0:6.6.1p1-25.el7_2 0:1.7.1-4.el6_7.1 0:1.8.3.1-6.el7_2.1 1:1.7.0.99-2.6.5.0.el5_11 1:1.7.0.99-2.6.5.0.el7_2 1:1.8.0.77-0.b03.el7_2 0:1.13.2-12.el7_2 1:5.5.47-1.el7_2 0:1.3.6-1.el7_2 0:1.3.8-1.el6_7 0:2.1.5-1.el6_7 0:1.1.25-2.el6_7 0:0.9.26-2.el6_7 0:3.0.0-47.el6_7.2 0:1.0-7.el6_7 0:4.2.10-6.el6_7 0:2.1.5-1.el7_2 0:1.3.8-1.el7_2 0:0.9.26-1.el7_2 0:1.1.25-1.el7_2 0:4.2.0-15.el7_2.6.1 0:2.0-10.el7_2 0:4.2.10-6.el7_2 1:1.8.0.91-0.b14.el7_2 1:1.7.0.101-2.6.6.1.el5_11 1:1.7.0.101-2.6.6.1.el7_2 0:4.11.0-1.el7_2 0:3.21.0-2.2.el7_2 0:3.16.2.3-14.2.el7_2 0:3.21.0-9.el7_2 0:45.1.0-1.el5_11 0:45.1.0-1.el6_7 0:45.1.0-1.el7_2 0:2.6.2-6.el7_2 1:1.0.1e-51.el7_2.5 1:1.6.0.39-1.13.11.0.el5_11 1:1.6.0.39-1.13.11.0.el6_7 1:1.6.0.39-1.13.11.0.el7_2 10:1.5.3-105.el7_2.4 0:6.7.2.7-4.el6_7 0:6.7.8.9-13.el7_2 0:8.32-15.el7_2.1 0:3.10.0-327.18.2.el7 0:38.8.0-1.el5_11 0:38.8.0-1.el7_2 0:38.8.0-2.el6_8 0:3.10.0-327.18.2.rt56.223.el7_2 0:1.2-6.el7_2 7:3.3.8-26.el7_2.3 0:4.2.6p5-22.el7_2.2 0:4.2.6p5-10.el6.1 0:0.12.4-15.el7_2.1 0:45.2.0-1.el5_11 0:45.2.0-1.el7_2 0:45.2.0-1.el6_8 0:6.7.8.9-15.el7_2 0:6.7.2.7-5.el6_8 0:3.10.0-327.22.2.el7 0:2.9.1-6.el7_2.3 0:2.7.6-21.el6_8.1 0:3.0.59-2.el7_2 0:3.2.24-4.el7_2 0:4.01.0-22.7.el7_2 0:3.10.0-327.22.2.rt56.230.el7_2 0:45.2-1.el5_11 0:45.2-1.el7_2 0:45.2-1.el6_8 0:2.4.6-40.el7_2.4 1:2.4.6-40.el7_2.4 1:1.8.0.101-3.b13.el7_2 1:1.8.0.101-3.b13.el6_8 0:4.2.10-7.el7_2 1:1.7.0.111-2.6.7.1.el5_11 1:1.7.0.111-2.6.7.2.el7_2 1:1.7.0.111-2.6.7.2.el6_8 0:1.6.3-1.el7_2.1 0:3.10.0-327.28.2.el7 0:3.10.0-327.28.2.rt56.234.el7_2 0:4.0.3-25.el7_2 0:45.3.0-1.el5_11 0:45.3.0-1.el7_2 0:45.3.0-1.el6_8 1:5.5.50-1.el7_2 10:1.5.3-105.el7_2.7 0:5.4.16-36.3.el7_2 0:2.7.5-38.el7_2 0:2.6.6-66.el6_8 0:3.10.0-327.28.3.rt56.235.el7 0:3.10.0-327.28.3.el7 1:1.6.0.40-1.13.12.4.el5_11 1:1.6.0.40-1.13.12.5.el7_2 1:1.6.0.40-1.13.12.6.el6_8 0:4.2.0-15.el7_2.19 0:3.0.0-50.el6_8.2 0:3.1.2-10.el7_2 0:3.10.0-327.36.1.el7 0:3.10.0-327.36.1.rt56.237.el7 0:45.4.0-1.el5_11 0:45.4.0-1.el7_2 0:45.4.0-1.el6_8 1:1.0.1e-51.el7_2.7 0:1.0.1e-48.el6_8.3 30:9.3.6-25.P1.el5_11.9 32:9.9.4-29.el7_2.4 32:9.8.2-0.47.rc1.el6_8.1 0:12.1.0-5.el7_2 0:8.2.0-5.el6_8 0:7.0.54-8.el7_2 0:3.10.0-327.36.2.el7 1:1.8.0.111-1.b15.el7_2 1:1.8.0.111-0.b15.el6_8 0:3.10.0-327.36.3.el7 0:3.10.0-327.36.3.rt56.238.el7 0:2.17-157.el7 0:3.10.0-514.el7 0:7.29.0-35.el7 0:1.32.7-2.el7 1:1.32.7-3.el7 0:2.0.0-10.el7 0:1.1.15-11.el7 0:0.12.1-1.el7 0:0.0.3-1.el7 0:0.5.1-2.el7 1:5.0.6.2-3.el7 0:0.26.5-16.el7 0:1.2.4-1.el7 0:3.2.28-2.el7 0:1.4.0-2.el7 1:1.4.0-12.el7 0:2.7.1-8.el7 0:4.2.6p5-25.el7 0:3.10.0-514.rt56.420.el7 10:1.5.3-126.el7 0:2.7.5-48.el7 0:1.14-13.el7 0:6.6.1p1-31.el7 0:0.9.3-9.31.el7 2:2.8.16-3.el7 0:2.8.2-1.el7 12:4.2.5-47.el7 0:1.14.1-26.el7 0:2.0.31-1.el7 0:1.17.9-1.el7 0:1.17.15-1.el7 0:1.8.6p7-20.el7 0:1.3.5.10-11.el7 1:5.5.52-1.el7 0:0.9.152-10.el7 0:0.4.3.2-8.el7 0:5.4.16-42.el7 0:7.0.69-10.el7 7:3.5.20-2.el7 0:2.10.95-10.el7 0:1.0.14-7.el7 0:3.15-8.el7 0:3.0.6-4.el7 0:2.23.2-33.el7 0:9.2.18-1.el7 0:1.2.1-9.el7 0:219-30.el7_3.3 0:1.1.15-11.el7_3.2 32:9.9.4-38.el7_3 1:1.7.0.121-2.6.8.1.el5_11 1:1.7.0.121-2.6.8.1.el6_8 1:1.7.0.121-2.6.8.0.el7_3 0:1.4.5-12.el6_8 0:1.5.3-13.el7_3.1 0:2.0.83-30.1.el6_8 0:2.5-9.el7 0:3.21.3-2.el5_11 0:3.21.3-1.el6_8 0:3.21.3-2.el6_8 0:3.21.3-1.1.el7_3 0:3.21.3-2.el7_3 0:45.5.0-1.el5_11 0:45.5.0-1.el6_8 0:45.5.0-1.el7_3 0:1.0.0-13.el7_3 0:1.4.15-10.el7_3.1 0:2.0.1-13.el6_8 0:2.1.0-10.el7_3 0:45.5.1-1.el5_11 0:45.5.1-1.el6_8 0:45.5.1-1.el7_3 0:1.8.6p3-25.el6_8 0:1.8.6p7-21.el7_3 0:45.6.0-1.el5_11 0:45.6.0-1.el6_8 0:45.6.0-1.el7_3 2:7.4.629-5.el6_8.1 2:7.4.160-1.el7_3.1 0:4.4.0-14.el7_3.1.1 0:9.07-20.el7_3.1 0:0.10.23-22.el7_3 0:0.10.31-12.el7_3 0:1.4.5-3.el7_3 0:1.4.5-6.el7_3 1:1.6.0.41-1.13.13.1.el5_11 1:1.6.0.41-1.13.13.1.el6_8 1:1.6.0.41-1.13.13.1.el7_3 32:9.9.4-38.el7_3.1 10:1.5.3-126.el7_3.3 0:3.10.0-514.6.1.el7 0:3.10.0-514.6.1.rt56.429.el7 1:1.8.0.121-0.b13.el6_8 1:1.8.0.121-0.b13.el7_3 7:3.5.20-2.el7_3.2 0:45.7.0-2.el5_11 0:45.7.0-2.el6_8 0:45.7.0-2.el7_3 0:3.9.4-21.el6_8 0:4.0.3-27.el7_3 0:45.7.0-1.el5_11 0:45.7.0-1.el6_8 0:45.7.0-1.el7_3 0:4.2.6p5-10.el6_8.2 0:4.2.6p5-25.el7_3.1 0:0.12.4-20.el7_3 1:1.7.0.131-2.6.9.0.el5_11 1:1.7.0.131-2.6.9.0.el6_8 1:1.7.0.131-2.6.9.0.el7_3 32:9.9.4-38.el7_3.2 0:1.0.1e-48.el6_8.4 1:1.0.1e-60.el7_3.1 0:3.10.0-514.6.2.el7 0:3.10.0-514.6.1.rt56.430.el7 0:4.5.0-15.2.1.el7 0:3.10.0-514.10.2.el7 0:3.10.0-514.10.2.rt56.435.el7 0:4.4.0-14.el7_3.6 10:1.5.3-126.el7_3.5 0:52.0-4.el7_3 0:45.8.0-1.el5_11 0:45.8.0-1.el6_8 0:45.8.0-1.el7_3 0:52.0-5.el7_3 0:0.31.3-1.el7_3 0:1.5.1-16.el7_3 golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/testfile/cisco-sa-20160323-smi_583.xml000066400000000000000000001372561314404222300311460ustar00rootroot00000000000000 PSIRT OVAL Definition Generator 0.1 5.10 2016-08-10T04:43:29.1961247-05:00 cisco-sa-20160323-smi Cisco IOS show vstack config show vstack config Role: Client show vstack config Role: Not Director show vstack config SmartInstall disabled 12.2(25)SEE 12.2(25)SEG 12.2(25)FZ 12.2(25)SEE1 12.2(35)SE 12.2(25)SEF1 12.2(25)SED 12.2(35)EX 12.2(37)SE 12.2(25)SEE3 12.2(46)EY 12.2(55)EY 12.2(53)SE1 12.2(25)SEF2 12.2(55)SE 12.2(25)SEF3 12.2(40)SE2 12.2(46)SE 12.2(25)SEG5 12.2(44)EX 12.2(46)SE2 12.2(50)SE2 12.2(35)SE5 12.2(50)SE1 12.2(25)SEE4 12.2(35)EX2 15.0(1)EY 12.2(40)EX3 12.2(44)SE2 12.2(40)EX 12.2(58)EZ 12.2(35)SE1 12.2(53)EX 12.2(50)SE5 12.2(25)SEG2 12.2(35)SE4 12.2(44)SE1 12.2(53)SE 12.2(37)SE1 12.2(37)EX 12.2(44)EY 12.2(52)EX 12.2(35)SE3 12.2(44)EX1 12.2(44)SE4 12.2(53)EY 12.2(55)SE3 12.2(53)EZ 15.0(1)SE 12.2(55)SE2 12.2(35)EX1 12.2(40)SE 12.2(44)SE 12.2(25)SEG4 12.2(25)SEE2 12.2(52)SE 12.2(58)SE 12.2(50)SE3 12.2(55)SE1 12.2(37)EY 12.2(35)SE2 12.2(40)SE1 12.2(25)SEG1 12.2(44)SE6 12.2(40)EX2 12.2(44)SE3 12.2(40)EX1 12.2(53)SE2 12.2(55)EX 12.2(52)SE1 12.2(46)EX 12.2(46)SE1 12.2(54)SE 12.2(44)SE5 12.2(50)SE4 12.2(55)EZ 12.2(25)SEG3 12.2(25)SED1 12.2(25)SEG6 12.2(50)SE 12.2(52)EX1 15.0(2)SE 12.2(55)EX1 12.2(58)SE1 12.2(55)SE4 15.0(1)EX 12.2(58)EY 12.2(55)EX2 12.2(58)SE2 15.0(1)SE1 12.2(55)EX3 12.2(58)EY1 12.2(55)SE5 12.2(58)EY2 12.2(58)EX 15.0(1)SE2 12.2(55)SE6 15.1(2)SG 15.0(1)SE3 15.0(2)SE1 15.0(1)EY1 15.0(2)SE2 15.0(2)EC 15.0(2)EB 15.2(1)E 12.2(55)SE7 15.0(2)ED 15.2(2)E 15.0(1)EY2 15.0(2)EY 15.1(2)SG1 15.0(2)EX 15.0(2)EX1 12.2(55)SE8 15.0(2)SE3 12.2(60)EZ 15.0(2)EY1 15.0(2)SE4 15.0(2)EZ 12.2(60)EZ1 15.2(1)EY 15.0(2)EJ 15.0(2)EH 15.0(2)SE5 15.0(2)EY2 15.0(2)EX2 12.2(55)SE9 15.1(2)SG2 15.0(2)ED1 12.2(60)EZ2 15.0(2)EX3 15.1(2)SG3 15.0(2)EX4 15.2(1)E1 15.0(2)EY3 15.1(2)SG4 12.2(60)EZ3 15.0(2)EK 15.0(2)SE6 15.0(2)EX5 15.2(2)EB 15.1(2)SG5 15.0(2)EK1 15.0(2)EJ1 12.2(60)EZ4 15.2(1)EY1 15.2(3)E 15.2(1)E2 12.2(55)SE10 15.2(1)E3 15.0(2)EX6 15.2(2)E1 15.0(2)EX7 15.0(2)SE7 12.2(60)EZ5 15.2(2b)E 15.2(3)E1 15.1(2)SG6 12.2(60)EZ6 15.2(2)E2 15.2(2a)E1 15.0(2)EX8 15.0(2a)EX5 12.2(60)EZ7 12.2(60)EZ8 15.2(3a)E 15.2(2)EA1 15.2(2)EA2 15.2(3)EA 15.2(1)EY2 15.2(3m)E2 15.2(2)EB1 15.2(3m)E3 15.2(2)EB2 15.0(2)EX10 12.2(55)SE11 golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/testfile/cisco-sa-20160928-msdp_613.xml000066400000000000000000001054611314404222300313170ustar00rootroot00000000000000 PSIRT OVAL Definition Generator 0.1 5.10 2016-10-20T04:51:20.9475392-05:00 cisco-sa-20160928-msdp-CVE-2016-6382 Cisco IOS show running-config show running-config ip msdp 15.4(1)T 15.3(3)S 15.2(2)E 15.4(1)S 15.4(2)S 15.4(2)T 15.2(1)SY 15.4(3)M 15.3(3)S1 15.3(3)S2 15.3(3)S3 15.3(3)S6 15.4(3)S 15.3(3)S4 15.4(1)CG 15.4(1)T2 15.4(1)T1 15.4(1)T3 15.5(1)S 15.3(3)S1a 15.2(2)EB 15.3(3)S5 15.4(1)S1 15.5(1)T 15.2(3)E 15.3(3)S2a 15.4(1)S2 15.4(2)SN 15.4(2)SN1 15.4(2)S1 15.5(2)S 15.4(1)CG1 15.4(2)CG 15.5(3)M 15.2(2)E1 15.4(2)T1 15.4(1)S3 15.4(3)S1 15.4(3)M1 15.4(2)T3 15.4(2)T2 15.2(2b)E 15.4(3)M2 15.4(2)S2 15.4(3)S2 15.4(3)SN1 15.2(4)E 15.2(3)E1 15.2(2)E2 15.5(1)T1 15.5(1)SN 15.4(1)T4 15.2(2a)E1 15.6(1)S 15.2(1)SY1 15.5(1)S1 15.5(3)S 15.6(1)T 15.5(2)T 15.4(3)S3 15.4(3)M3 15.2(3)E2 15.2(3a)E 15.2(2)EA1 15.2(2)EA2 15.2(3)EA 15.2(1)SY0a 15.2(2)SY 15.3(3)S7 15.4(3)M4 15.4(1)S4 15.4(2)S3 15.4(2)S4 15.4(3)S0d 15.4(3)S4 15.4(2)T4 15.5(1)S2 15.5(1)S3 15.5(2)S1 15.5(2)S2 15.5(1)SN1 15.5(2)SN 15.5(2)SN0a 15.5(1)T2 15.5(1)T3 15.5(2)T1 15.5(2)T2 15.6(2)T 15.2(3)E3 15.2(3m)E2 15.5(3)M1 15.2(1)SY1a 15.3(1)SY 15.4(3)S0e 15.5(3)SN0a 15.2(2)EB1 15.2(4)E1 15.5(3)M0a 15.5(3)S1 15.2(4)EA 15.2(2)E4 15.2(4)EA1 15.4(3)S5 15.5(2)T3 15.5(3)S1a 15.4(3)M5 15.5(3)M2 15.2(2)SY1 15.6(1)T0a 15.5(3)S2 15.6(1)S1 15.6(1)T1 15.3(0)SY 15.5(3)S0a 15.5(3)SN 15.5(2)XB 15.3(3)S6a 15.6(1)SN 15.6(1)SN1 15.2(3m)E5 15.5(3)M2a 15.2(4m)E1 15.2(2)EA3 15.2(2)EB2 15.5(1)T4 15.2(4)EA3 15.6(2)T0a 15.2(3m)E7 15.5(3)S4b golang-github-ymomoi-goval-parser-0.0~git20170813.0.0a0be1d/testfile/com.redhat.rhba-20070331.xml000066400000000000000000000246331314404222300312100ustar00rootroot00000000000000 Red Hat Errata System 5.10.1 2016-11-18T05:41:16 RHBA-2007:0331: conga bug fix update (None) Red Hat Enterprise Linux 5 The Conga package is a web-based administration tool for remote cluster and storage management. This erratum applies the following bug fixes: - The borrowed Zope packages used by Conga have been patched to eliminate a possibility of XSS attack. - Passwords are no longer sent back from the server in cleartext for use as input values. - A form error was fixed so that Conga no longer allows for cluster names of over 15 characters. - An error wherein clusters and systems could not be deleted from the manage systems interface has been addressed. - Entering an incorrect password for a system no longer generates an Unbound Local Reference exception. - Luci failover domain forms are no longer empty - The fence_xvm string in cluster.conf for virtual cluster fencing has been corrected. - The advanced options parameters section has been fixed. - A bug where virtual services were unable for configuration has been addressed. - kmod-gfs-xen is now installed when necessary. - The 'enable shared storage support' checkbox is now cleared when a configuration error is encountered. - When configuring an outer physical cluster, it is no longer necessary to add the fence_xvmd tag manually. Users of Conga are advised to upgrade to these updated packages, which apply these fixes. None Copyright 2007 Red Hat, Inc. CVE-2007-0240 CVE-2007-1462 CVE-2007-1462 security alert - passwords sent back from server as input value CVE-2007-0240 Conga includes version of Zope that is vulnerable to a XSS attack Conga allows creation/rename of clusters with name greater than 15 characters Cluster cannot be deleted (from 'Manage Systems') - but no error results Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment luci failover domain forms are missing/empty fence_xvm is incorrectly listed as "xmv" in virtual cluster Advanced options parameters settings don't do anything Unable to configure a virtual service kmod-gfs-xen not installed with Conga install 'enable shared storage' option cleared whenever there is a configuration error Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>" cpe:/a:redhat:rhel_cluster:5 cpe:/a:redhat:test:5 conga luci redhat-release ricci 5326810137017186 ^5[^\d] 0:0.9.2-6.el5